Website Security Week!
I've been a bit quiet on the blog front recently so thought I would kick back off with something thats very important to me. Website Security Practices. I'm going to cover off various topics related to it this week.
Why should you care? Any web developer should care, the safety of your website is the safety of your business and your customers information. It cannot get more critical than this. We've seen over the years more breaches of businesses via their websites. It happened to British Airways only a few years ago, it resulted in names, emails and credit card information lost.
HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP which allows for secure communication using SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
Please, please, please serve all your content over HTTPS. It's more secure all around.
All providers now offer HTTPS for your website, and if you need an alternative you can get free certificates from the amazing Let's Encrypt, there are no excuses not to use HTTPS now.
Also make sure you turn on
redirect-to-https for all your services to ensure that HTTPS is being used by everyone all round.
Furthermore, ensure your site isn't serving mixed content of both HTTP and HTTPS which can occur from third party dependencies for example, but this breaks the point of using HTTPS so ensure its not occurring on your site.
I'll wait while you check.
Next up is security headers, there is an awful lot to cover here so I'll be doing more blogs as part of this week.
But first here are a few tools for you to check you site now!
This is a great tool to quickly scan your security headers on your website and get a straightforward score. Make sure you tick the 'Hide Results' box so your website doesn't appear on the home page.
I'd advise aiming for at least an A grade!
Another great tool that checks not only the security headers but also several other aspects of security of your website. Again make sure you hide the results from the public results.
In summary, security of your site and services is a critical issue and not an afterthought. It's easier than ever to serve everything over HTTPS and even easier to check the basics of security on your site.