I was invited to contribute some “top tips” to the Secure your site feature in issue 170 of .net magazine. The text of the article is shown below, or you can view a scanned copy.
Secure your site: Top tips
Use a secure connection when appropriate
When data gets sent over the Internet, it usually travels across many networks and passes through a number of routers and servers. On the most part, these devices won't look at what's being sent, they'll just monitor the amount of bandwidth being used. However, it's always possible that somebody could maliciously take control of one of these machines and listen in on your communication. This is known as a “man in the middle” attack.
Another potential issue when using the Web is how to know whether the site you're using is what it claims to be. For example, can you be sure that if you type www.amazon.co.uk into your browser that the site you see belongs to Amazon, or if someone is spoofing it?
Both these potential dangers, and others, are addressed by using a secure connection. The URLs of secure web sites start with https://, and if the connection is secure, your browser will show a closed padlock icon to indicate this.
HTTPS uses SSL (Secure Socket Layers) encryption technology to scramble the data at the end points of the communication. This means that only the client and server (i.e. the end points) can decipher the information, and any other devices in between simply pass it on without being able to tell what it is. This technique mitigates the dangers of a man in the middle attack.
HTTPS also makes use of signed certificates. When you're an a secure when page, double-click the padlock icon and you'll be able to view the certificate of the site. Certificates can only be issued by certain authorities. This is supposed to ensure that certificates can't be fraudulently created, though nowadays, the reliability of certificate authorities isn't necessarily guaranteed. The majority of HTTPS certificates are used to identify a server, but technology exists to enable end users (or “clients”) to have certificates to identify themselves to a server. Some national ID card schemes provide the means to store a client certificate on the smart card's chip, thus allowing a citizen to securely identify himself or herself online.
Whether you use a secure connection or not depends on the type of data you're dealing with. If you wouldn't shout the information you're entering or displaying on a web page across a crowded room, then a secure connection should be used.
Sanitise user-generated content
If you enable users to post content on your site, it's important that you sanitise it before using it, especially before publishing for public consumption. This applies to text, images, movie clips and other files.
If you allow visitors to your site to submit comments to your blog posts and subsequently show these on your site, you should make sure that they can't enter raw HTML. If you don't do this, people could, for example add <script> elements to either redirect users to another site or to maliciously capture information about them using a technique called cross-site scripting. The simplest way to sanitise such data is to replace all < and > characters with < and >, though you could do something more complicated if you wanted to allow a minimal set of formatting elements.
The problem doesn't lie solely with text and HTML. There have been a number of problems found with graphics libraries, where a specially crafted image or movie clip has been used to maliciously target users. Before displaying such media, it's sensible to pass it through a graphics library to verify it's a valid image or video, and then use the library to resave it.
Not only is it important to sanitise content before displaying it on your site, it's also essential to appropriately escape values before writing them to a database. Failure to do so could lead to a so-called SQL injection exploits, allowing attackers to tamper with your database. Most web frameworks have a database abstraction layer that takes care of escaping for you automatically.
Keep up to date
The world of computer security is changing continually, so it's important to keep up to date with the latest information on recent exploits. If you're interested in security, then Security Now! is an excellent weekly podcast that covers a wide range of security topics.
Article © 2007 Fraser Nevett and released under the Creative Commons Attribution-Share Alike 3.0 Unported Licence.