Tips for improving your Web security

Here are a handful specific techniques for improving your Web security.

• Make it your job to study, follow, and abide by security recommendations.
• Don’t use user-supplied names for uploaded files.
• Watch how database references are used. For example, if a person’s user ID is their primary key from the database and this is stored in a cookie, a malicious user just needs to change that cookie value to access another user’s account.
• Don’t show detailed error messages in the website.
• Reliably and consistently protect every page and directory that needs it. Never assume that people won’t find sensitive areas just because there’s no link to them. If access to a page or directory should be limited, make sure it is.
• Don’t store credit card numbers, social security numbers, banking information, and the like. The only exception to this would be if you have deep enough pockets to pay for the best security and to cover the lawsuits that arise when this data is stolen from your site (which will inevitably happen).
• Use SSL, if appropriate. A secure connection is one of the best protections a server can offer a user.

My final recommendation is to be aware of your own limitations. As the programmer, you
probably approach a script thinking how it should be used. This is not the same as to how it will be used, either accidentally or on purpose. Try to break your site to see what happens.Do bad things, do the wrong thing. Have other people try to break it, too (it’s normally easy to find such volunteers). When you code, if you assume that no one will ever use a page properly, it’ll be much more secure than if you assume people always will.