This shows you the differences between two versions of the page.
| — |
notes:web-apps [2010/06/27 15:51] (current) talin created |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== How to keep your web applications secure ====== | ||
| + | |||
| + | * Never pass unvalidated input to your database | ||
| + | * Never pass unvalidated input to the system | ||
| + | * Always validate on the server-side; client-side validation should only function as a convenience to the user | ||
| + | * Validate data coming from other servers (if you're doing any web services stuff). | ||
| + | * Encrypt connections to the server | ||
| + | * Enforce inactivity timeouts | ||
| + | * Do not allow multiple logins to the same account (unless you want your application to work that way) | ||
| + | * Always authenticate users; consider using two-factor authentication (CAPTCHA + password, etc) | ||
| + | * Allow administrators to revoke accounts | ||
| + | * Make it easy for administrators/force administrators to sandbox/chroot your application | ||
| + | * If your applications needs to use server storage, consider DoS attacks (a user uploading lots of stuff) | ||
| + | * Make sure all privileged actions hit the same authentication class/function; if you change your authentication code, this ensures that the changes are applied across the board. | ||
| + | |||
| + | If you do all of the above, your app might still not be "secure", but breaking it will be a PITA. | ||