How to make your site "secure"?

As we all know there is no such thing as a secure website.

I will soon be launching a new website and since I'm not sure of it's popularity ATM, I was wondering if there was anything that I could do to make my site more secure.

i.e. make it harder for people to hack, etc.

What are some tips that you more experienced webmasters have?

Skinny

 

You could run Nessus to check for security flaws.

Regards
Thibaut

 

you can have a complete security audit of your website. just check my signature.

 

There are numerous steps involved in making your site secure.

It starts from who has access to the site and how strong are their passwords. You need to ensure root cannot log in via the internet and you need to make sure that password is extremely strong -- more than 12 characters, including upper and lower case, and non-alphabetic characters.

You need to review what services are being offered and specifically turn off those that you do not need or intend to offer. For a plain website, the only services accessible from the internet should be sshd and httpd. If you want email add, pop and smtp. Shut down everything else. You will need to learn how to configure your firewall to accomplish these tasks.

Secure ssh. This was discussed in another thread here today: http://forums.digitalpoint.com/showthread.php?t=286142

If allowed, you should secure PHP with the suhosin. If not allowed. I have written a freely available script which helps accomplish some of what suhosin does -- preventing a lot of web injection problems. You would need to amend your scripts to call my project -- in my sig -- whereas the suhosin module changes PHP itself.

Make sure all third-party scripts you run are at their latest patch level and make a habit of visiting their sites for security notices and updates. For scripts you write, NEVER trust user input. Always make sure it is what you expect. Always initialize variables with safe default values. Always return safe default values from functions.

If you are running AJAX, you need to start reading up on the recent compromises which are being discussed on the net. Start with this article: http://www.fortifysoftware.com/advisory.jsp

Lastly, never bait hackers and spammers with mocking responses and vulgar error messages.

 

Nessus just runs well known attacks on the server, but it is not able to run customized (manual) penetration testing that would involve the capabilities of security expert. I see "Hacker Safe" pic on the footer of sites that can be sweeped out in a matter of seconds

 

Well I can give you a few simple tips. Do not use GET in fields. I'm not sure on the security of post but I think it is pretty safe. Request is pretty safe too. Make all fields have some sort of code that verifies the contents of it before it submits it. Once you have that, make sure it will not show the database name when an error occurs.

That is some simple things. If you want I can do a little over view of your website and tell you what possible holes you have in your website for free IF you let me use your website as a reference.

PM me if interested.

 

Sorry to contradict you, but POST has nothing more secure than GET.It is just more obfuscated but everyone can forge a request using POST method. Same thing for hidden fields into forms and cookies values.
Input sanitization should be made at server side before any kind of operation on it.

 

Agree 100%. GETS are just easier for the layman to haze (by messing with the querystring), but there are a number of tools you can use to inject anything you want into POSTs. The trick is to validate everything at the server side and ensure you're only receiving the input you're expecting.

Tools like Nessus are ideal to help identify any flaws in your website (like using known hackable version of software) that script kiddies can take advantage of, however there's nothing like human ingenuity when trying to hack a website.

 

No need to apologize. I'm here to learn like the rest of you and as you can see I told you that I was not sure on the security of post. However now I know, and thank you for correcting me.