Welcome to WebmasterWorld Guest from 54.163.65.30

Forum Moderators: mack

Message Too Old, No Replies

Security Issues

Avoiding trouble

     
10:33 pm on Apr 21, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts: 20
votes: 0


The vote on whether or not to use Javascript (see a couple of threads back) was inconclusive--seems that one said "never for a rookie" and another said it was absolutely safe.

What else should be considered, concerning security? I want to have fun and work on learning web design, but I also want to be cautious. What are the basics of a secure site?

11:08 pm on Apr 21, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 4, 2001
posts: 2187
votes: 23


IMHO, it depends on the nature of the site. If it is something that requires high security: SSL and all that other "fun" stuff, Javascript may be questionable. Otherwise, I personally have never had a problem and my site stats show less than .05% of my visitors have it disabled.

Marshall

12:17 am on Apr 22, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts: 20
votes: 0


Thanks, Marshall.

Definitely, site clarification is necessary. Let's use the site example of a small, private school that publishes updates on school happenings and provides a means of alumni keeping in touch. No student records on site, but there is a way to make online donations, make comments, and request information. Primary concerns would be not catastrophic, but potentially embarrassing: A hacker puts up an obscene photo of the principal, for example, or someone obtains alumni contact information. Worst case would be somehow tapping into the donation function and stealing funds or credit card numbers.

For such a site, what would need to be in line to have a reasonably secure online presence?

12:10 pm on Apr 22, 2008 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member piatkow is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 5, 2006
posts:3360
votes: 31


In the example I wouldn't expect the site to be handling the "risky" stuff in house at all.

Donations - third party processor
Comments - third party processor with option for screening posts
Request information - email form

5:23 pm on Apr 22, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 4, 2001
posts:2187
votes: 23


I have to echo piatkow's comment about donations, though I do not think it is necessary for a third party processor on comments. I use two different comment boards: one in .asp and one in .php, both of which have filtering options including blacklisting. Email forms are great in preventing email spam, but can also be spammed unless you take precautions such as using the form handler script to validate fields as opposed to using Javascript. There are other tricks too, but the list is rather lengthy to post here.

If you are going to store personal information, use a password protected database and not one protected with Javascript passwords. Use an .asp or .php password protection script with a time out setting and, if possible, a specific url referer so no one can hijack the page.

Bottom line - the more things that are controlled server side, the more secure it is going to be. But remember, nothing is 100%.

Marshall

5:32 pm on Apr 22, 2008 (gmt 0)

Administrator

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 24, 2001
posts:15756
votes: 0


don't store more information about your members than is needed

don't store anything you aren't supposed to, like CC nums

if this is strictly for alumni then you might find it necessary to confirm their identity, especially on a request for information

you have to look at the business processes involved, decide what risks there are and then decide what lengths you need to go to in order to protect against them

as Marshall said, nothing is perfect so you need to revisit these decisions/processes on a regular basis

5:45 pm on Apr 22, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 4, 2001
posts:2187
votes: 23


as Marshall said, nothing is perfect
except all of us here ;)
12:49 am on Apr 23, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts: 20
votes: 0


Marshall said, "Bottom line - the more things that are controlled server side, the more secure it is going to be."

Question: But isn't the entire site really located on a server--thus, everything is "server side"? What am I missing here?

1:17 am on Apr 23, 2008 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 4, 2001
posts:2187
votes: 23


Javascript is a "client side" script which requires the user to have java installed on their computer to execute. .asp, .php. perl, etc, are server side scripts and do not need the user's computer to execute. So if you have a form that requires a field validated and you use javascript and it is off, the form will not validate. But if you use a server side script, it will.

Marshall

8:56 am on Apr 23, 2008 (gmt 0)

New User

5+ Year Member

joined:Apr 6, 2008
posts:20
votes: 0


Thank you, Marshall. I have a bunch to learn.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members