I'd like some advice for securing a website.

It will be a simple marketing website for services I will provide. There won't be any databases but some files will be offered for sale, perhaps through Paypal. I have not created anything more than a crude website before.

Some security aspects might be for example: I read somewhere that I should encrypt the site so that no one can just copy the HTML of the pages. I don't understand how the encryption would stop the copying.

Another example: How can I stop the URL from being hijacked - ie forwarded to someone else website?

Is there some central location where one can find useful information on securing a website?

Many thanks,
Lou.

If you want to secure a website or section of it, the simplest way is to password-protect it. There are many options for doing so, including .htaccess if you're on a Linux box (if you don't know whether or not you are, you probably are). The user is forced to get in through a login and password and that protects against about 98-99% of stuff, particularly if your site isn't really popular (hackers tend not to care as much about smaller sites since the reward isn't as high.)

Quote:

Originally Posted by ADAM Web Design

If you want to secure a website or section of it, the simplest way is to password-protect it.

Its certainly one idea, but passwords aren't really appropriate. The website is a marketing vehicle - a way of presenting my expertise. It would be counter productive to have them register for a password to see the website - if I understood your intent, here.

There is nothing on the website that is of value. Whatever a person wants to copy, they can copy. What is important is that they are blocked from redirecting the user, and from modifying the content of the website. And the content is blocked by password anyway. Still, these two possibilities should be blocked more heavily.

I have not yet chosen the web hosting company, and I'm not sure exactly what tools I'll use to develop the website.

As an example of protection, here is a list of things that a specific website encryption tool has to offer - but why would I want each of these protections?
-Protect Everything on Your Web Page
-Prevent Others from Making Unauthorized Copies of Your Web Pages
-Make Your Pages Ineligible to Web Filters (I don't think I'd have anything that filters would remove.)

-Prevent Automated E-mail Grabbers from Obtaining Addresses on Your Website (this is simple to prevent if you use 'at" instead of "@" and ".dot" instead of ".".)

-Prevent Automated Downloading Programs from Getting Your Whole Site (Now I may have spent time developing the site, but I don't think anyone would want to copy the whole site.)



Lou.

Quote:

-Protect Everything on Your Web Page
-Prevent Others from Making Unauthorized Copies of Your Web Pages

Both of those things CANNOT be done, anything that the user sees they can copy, take edit etc. etc.

Web security is generally fine server side these days unless you are setting your own server up or have chosen a REALLY bad host.

The main concern is people injecting code into the site via server side scripts, If you are using php/asp or have any dynamic content on your site then you will need to look into securing these.

URL Hijacking is very rare and will only happen if you choose an untrustworthy registrar or allow someone to inject JavaScript into your site(see above).

Encryption of sites does not work. If the client renders it then it can be stolen.

Jamie

Re: Prevent Others from Making Unauthorized Copies of Your Web Pages:
The comment for this capability is:
"While users will still be able to view your web pages and save it to their local disk, the pages are encrypted by HTML Protector so that the user will not be able to understand its source code, which will prevent them from using the code on their own pages."
So I guess this really blocks stealing of the web site.

Perhaps I'll change the approach here. Let me ask:
Is there a web site that explains what should be done to improve web site security - perhaps for different servers or against different hacking tools?
Perhaps there is a web site that explains what hackers are technically trying to accomplish?

I took a look at that HTML Protector thing...the thing is completely pointless.

There isn't one site which will take you through security since it is such a vast area.

What I would suggest is learning how to setup and secure servers, look into cross site scripting, learn about sql injection.

What you need to remember is hat "hacking tools" don't really exist in a traditional hollywood sense, password crackers and port scanners are commonly used by system admins as well as crackers to establish vulnerabilities.

The best way to learn how to protect your site is to learn how to crack it, simple as. Become an expert in spotting security flaws in your server side code. If you are running your own server then research exploits, see if you are at risk.

There is no checklist since the industry moves all the time, the best you can do is continually check your site, look through your code, get others to examine in, research past exploits.

http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
http://searchsecurity.techtarget.com...015581,00.html
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/SQL_injection

Those links should help you on the right path.

Jamie

OK, That says it all, Jamie. Many thanks, indeed. I'll follow your advice.

I won't be using my own servers; I still need to pick a good web host. Suggestions are appreciated. I'm sure they won't say much about their security measures, but I will ask them.