When designing a security system for a website, one of the consideration is user experience versus security. For instance displaying the following different error messages often leaks information file not found folder not found server error has occurred username not found email address not found As someone enters different urls then information about your website […]
Letting users upload files into a website is an area that requires careful management. Obviously there is a decision to be made around whether to store the file in a database or on the file system. Also the file should be virus scanned. Note that in business systems users can often upload files like pdf that […]
When deploying a website you should try to deploy the minimum amount of files required to run the site. If extra files are deployed, or deployed to the wrong place, these may leak information. Examples include WSDL files that are not required DLLS deployed outside the bin directory. On some versions of IIS (out of […]
If your site always intends to serve its content over HTTPS/SSL then every request that is passes between the browser\webserver will encrypt the cookies. Excellent – no one monitoring or sniffing the traffic can see the cookie value. However even if you intend to always use HTTPS if ANY content is supplied over http (javascript files, images, […]
Marking your cookies as HTTPONLY will mean that JavaScript code running in most browsers cannot access a user’s cookies. This is important as if a hacker does manage to compromise your site and inject JavaScript it may be possible for the hacker to steal values of cookies (including security cookies). If HTTPONLY is set on the cookies […]
Occasionally you will hear this statement “There is nothing to worry about the website is behind a firewall” The firewall is important, but over reliance on a firewall is a poor idea. If there is no website and therefore no ports open on the firewall and the firewall or other device is correctly configured then it is […]
