home Links Articles Books Past Meetings Photos SiteMap
The MDCFUG is sponsored by TeraTech. Visit us at www.TeraTech.com

Please send
comments/questions to

michael@
teratech.com

 

Top Ten Web Security Tips

Top Ten Web Security Tips

By Michael Smith Michael@teratech.com

http://www.teratech.com     301-881-1440

 

All website are potentially vulnerable to hackers. Follow these steps to make your site much more secure.

Code Security

Items marked (*) can be coded once in Application.cfm

 

1.      * Have an Error Handler

a.      Don’t display detailed error message – email error to admin instead using CFERROR and CFMAIL. Don’t store error info in hidden form fields – it can be viewed!

b.      Don’t give extra info in error messages – eg userid correct but password wrong

2.      Prevent Cross-site scripting – URL and FORM variable protection

a.      * Use URLEncrypt and Decrypt from www.cflib.org

b.      Checksum hidden FORM fields to prevent them from being changed.

3.      * Scan and remove dangerous characters from URL/FORM ()<>/|

4.      * Prevent Fake form submits – check referrer CGI. HTTP_REFERER  in same domain

a.      * Use CGI. CF_TEMPLATE_PATH to control what is run – eg included files

5.      Prevent Viewing other users data by changing URL or FORM parameters - checksum

6.      Validate all URL and FORM input  – use CFPARAM to check data type and required fields, use CFQUERYPARAM for all CF variables in SQL.

7.      Use Server side validation to back up client side validation (_ field name, CFFORM, JavaScript) because client side validation can be disabled by user.

8.      Logon – require hard passwords, timeout after 3 failures. Store hashed password instead of plain text in database.

9.      * Timeout client and session – roll your own timeout. Protect Back button.

10.  Protect use of CFFILE uploads and CFCONTENT file display – hacker can upload dangerous CFM files or view your source code.

Server Security

  • Install latest patches for Windows, IIS and CF
  • Remove software that is not used
  • Remove unused accounts
  • Protect with firewall
  • Use hard to guess long passwords with numbers in
  • Monitor your logs

What Security Means

  • Security is hard because a hacker only needs one window to be open to get in while you must close all the holes. Assume bad things will happen and code for them.
  • Security is a way of thinking – “How can they get in to this page?”
  • More knowledge is power - don’t keep security tips secret!

Next Steps


Home | Links | Articles | Past Meetings | Meeting Photos | Site Map
About MDCFUG | Join | Mailing List |Forums | Directions |Suggestions | Quotes | Newbie Tips
TOP

Copyright © 1997-2017, Maryland Cold Fusion User Group. All rights reserved.
< >