A website is a collection of related web pages, including multimedia content, typically identified with a common domain name, and published on at least one web server. If your website is not secure, there is a risk of others stealing your customers’ information, adding your website to a botnet of infected sites, injecting your site with malware, and hijacking your IP address.
Website security basics
- SSL Certificates: Obtain an SSL certificate from a certificate authority to prevent unauthorized access and disclosure of information. Do not self sign your own Certificates as it makes you susceptible to “man in the middle” attacks.
- Input validation: Validate the server and client side input on your website, as this is a primary vector for attacking web applications.
- Web application security: Make sure you follow secure coding practices. Follow OWASP Top Ten as a guide for web application security.
- Error handling, authentication and access control: Ensure correct error handling and authentication in conjunction with Access Control.
- New application review: Review architecture, design, and code of any new or less known applications.
- Patches and plugins: Keep patches and plugins updated to prevent malicious actors exploiting vulnerabilities on your system.
Webform security basics
A webform is a page on a website that allows users to submit information. Webform abuse occurs when a spammer uses the webform to send to a large group of email addresses, entering a spam message or link into the custom text box. The webforms with poorly written scripts (usually PHP) tend to be exploited more often. Therefore, it is essential for our customers to follow these recommendations to secure their webforms.
- CAPTCHA and reCAPTCHA: Require users to prove they are human before submitting a webform, thereby preventing automated processes from abusing the form.
- Outbound filtering: Employ outbound spam filtering to block abusive content.
- IP filtering: Check the logs to see if the majority of the abuse is coming from certain IPs and block them.
- Recipient limits: Limit the number of email addresses a user is able to send to.
- URL restrictions: Either remove the ability to include URLs within messages or review emails with a URL that isn't secure (HTTPS). Have a policy in place that would flag shortened URLs.
- New account verification: Verify content being sent by free or new accounts (for example less than 12 hours old) trying to send the maximum or close to the maximum number of emails (200).