General Security Checklist


With everything you have learned from this website, you should have the tools and knowledge you need to protect your web service from attacks. There are a few things you should remember to do when creating your site.

It's a secret to everybody

When choosing passwords, remember to not only ensure they are securely stored and complex, but also that you keep them secret - do not share an account with others who need to be able to modify the site. If users can sign up to your site, ensure that they are also aware of the importance of a strong password.

I want the one I can't have

If you ever need self-validation, you can be sure your form inputs will. Always be sure to sanitise your inputs in order to avoid being attacked by XSS exploits and SQL injection. While SQL injection can usually be countered with library or system functions, there are tools such as HTML Purifier and ESAPI for dealing with XSS.

Apache

Jump on it! Always remember to keep your Apache installation up-to-date with the latest patches and security updates. Similarly, always keep your add-on modules and CGI scripts at their most current versions - and disable any modules you don't require!

Yesterday, all my problems seemed so far away

Always remember to make thorough, secure backups of your system. Even if you think you've written the most flawless, corruption-proof system known to man, there's the possibility that someone might use the server as a coffee table, or unplug the power to vacuum. Make sure your backups are frequent, checked for integrity, and kept at a separate location to your server! It's no good if they get destroyed at the same time.