How to Secure a Website
To maintain a well performing and highly available website, it is important to provide several layers of security. In addition to normal patching, user access management and good development hygiene, we recommend you use a combination of following to ensure your website is protected:
- DNS Protection
- Network Protection
- Rate Limiting And IP Blocking
- Web Application Firewall
1 DNS Protection
Use of a quality customer-facing DNS solution is important to prevent attackers from overwhelming your website through a flood of DNS requests. Your DNS provider should be able to confirm an ability to handle DDoS attacks. An even better protection at the DNS layer is to use a provider who can deliver redundant DNS systems for your website so that in the instance of one DNS provider being overwhelmed by any sort of attack, the second provider will be available to continue service for your website. You can set up redundant DNS services yourself or choose a website delivery provider who includes this service for you.
Delivering properly encrypted traffic from your servers all the way through to your customers’ browsers and back again is a core line of defence in making sure your site and your customers’ details are secure.
Deployment and maintenance of a high quality SSL certificate (the certificate you need to demonstrate your site is secure which gives you a HTTPS web address) is important to prevent potential flaws in the encryption which may open the traffic up to interception, interpretation and exploitation. Qualys SSL Labs use a handy rating system to help users discern the quality of their SSL certificate. Lower ratings indicate that your encryption levels may not be satisfactory with respect to areas such as cipher support, protocol support, or key exchange support, or could indicate your certificate is installed incorrectly or not trusted for the domain of your store.
Visit www.ssllabs.com/ssltest/ to test your website certificate rating.
If you wish to immediately enhance your certificate rating, you should address any shortcomings found from this review. You could also investigate the use of certificates issued by your website delivery platform, as they may provide and manage higher rated certificates on an ongoing basis than you are able to secure directly.
An Extended Validation certificate, commonly used by banks or other websites that manage highly sensitive data, is not necessary for your site and will not enhance the security of the web traffic to and from your website. Extended Validation certificates may improve user perception, but do not improve security as they use the same encryption protocols.
3 Network Protection
Attacks can also occur at the networking layer. Your website needs to be able to detect and reject networking style attacks including those at the TCP layer. You should partner with hosting and site delivery providers who provide network-level protection at large scale so that your site is not subject to performance degradation or failure as a result of network attacks.
A well structured caching layer can prevent your core infrastructure and compute resource from becoming overwhelmed by requests for certain assets.
As we reviewed in Chapter 4, caching means an asset or assets can be served from a cache, preferably from an elastic infrastructure which is not part of your core hosting infrastructure. In this way, you can defeat some DDoS attacks simply by having more resource readily available to serve the attacker’s requests than the attacker can muster to generate the requests. Every website should maintain a quality caching tier in front of their web servers for the purposes of both improving performance and scalability of the website directly and for providing an additional security layer. Distributed, elastic cloud solutions will provide the best results for these purposes.
This caching tier needs to be well tuned. For example it is very common to be able to bypass all caching efforts by simply adding random parameters to querystrings. Ideally, all the URLs and their possible valid querystring parameters will be addressed to make sure simple efforts to negate the cache are not trivial.
5 Rate Limiting And IP Blocking
Detecting and blocking requests based on IP ranges or GeoIP Databases can be helpful for certain styles of attack. While some attacks will avoid IP blocking by moving the attacking vector IPs around or attacking from a large and varied range of IPs (such as with a DDoS attack), other attacks can be handled well by limiting the ranges of IP addresses which can make requests on your website. For example, your customer base may be solely from one country and in this case you may wish to block the IP ranges for other suspect countries to avoid the chance that attacks could be launched from those countries.
An additional alternative to all-out blocking of IP addresses or address ranges is to limit the frequency with which an IP address can connect and make requests from your website. Normal customer behaviour usually presents as a much lower frequency of request than a number of different types of attack. This is known as request rate limiting.
By installing the right delivery infrastructure for your website, with very limited effort you should be able to manage the IPs which can connect to your web infrastructure and set upper thresholds for the rate at which any particular IP address can make requests to your web application.
6 Web Application Firewall
Placing a Web Application Firewall (WAF) in front of your application can be a very effective way of controlling attacks which may occur above the networking layers at the HTTP protocol layer. A WAF can inspect the HTTP requests being sent to your website and, based on a set of rules, determine if the requests may be malicious and block them, or valid and then allow them to continue.
The types of attack a WAF can detect and block include those outlined in the OWASP top ten above. By inspecting, detecting and blocking malicious requests, you can avoid system outages. When websites are compromised by these types of attacks, most often, a website will be taken offline voluntarily by the website owner to avoid the potential calamitous complications of leaked or hijacked customer details and payments information. Installing and maintaining a WAF for your website can prevent these outages.
Beware of one-size-fits-all WAF vendors. These systems are often optimized to reduce the chance of the system breaking the protected application so the vendor can minimize support requests. You’ll get a better result with a WAF that is tailored to your application.
Installing and maintaining a WAF for your website can be a complicated matter. You need to make sure you have the right compute infrastructure and the right tooling to be able to view the activity within the WAF and manage the rule sets for your application. A WAF returning too many false positive blocks will cause real customer frustrations and hence become frustratingly useless very quickly. Conversely, a WAF returning too many false negatives (or requests which should have been blocked but were not) will not provide the level of protection which it promises.
Therefore, when installing a WAF, make sure you have the tooling to quickly and simply test the WAF settings in your development and staging environments before turning it on immediately in production. You should have good access to real time reports, metrics and logs for your WAF in addition to flexibility to manage the rulesets and run the WAF in each of your development and staging environments.