We wrote about WordPress security on a shared hosting and what to do if you get hacked. Here we will write about general programming practices to include in your web development projects. This is a technical article so good for your development team as well as should be made standard practice in all IT concerns.
Web security is often assumed out of the box and something even the best practices can’t always cover. Its important cover all your bases and be on your toes. Websites are a complex beast and need tending to constantly.
1. Never Trust User Input
The basic rule for securing web application is to always filter input and escape output. Do not trust user data and always make it validate and filter properly. To validate means to verify that the data is valid while filter means to remove unwanted characters from the data. Sometimes we trust user data because we never even know it’s actually user data. For example; consider $_SERVER[‘HTTP_HOST’]
which is a PHP global variable and some developers become confused that its server variable and not user data. So they used this variable in form action or site_url like
<form action=”<?= $_SERVER[‘HTTP_HOST’]?>/page”> |
Or
$config[‘site_url’] = ‘HTTP://’.$_SERVER[‘HTTP_HOST’]; |
However a user (attacker) can modify this variable by sending a different host header. So we should avoid using $_SERVER[‘HTTP_HOST’] and use the domain name instead. E.g
$domain_name = 'mydomain.com'; |
$config['site_url'] = 'HTTP://'. $domain_name; |
This type of security vulnerabilities leads to phishing attacks and cache poisoning.