Newb question for you all. I’ve been doing all of my web dev on CMS platforms like Shopify and WordPress where I know security it somehow built into the platform. However, to get a better handle on the basics of site-building, I’m going to create my portfolio site from scratch with just a text editor and Bootstrap.
When going this route, how do you approach security? Do you worry about it? If so, why? If it’s not a site that deals with sensitive info like an eCommerce site, would you bother? To what extent is this handled by your hosting provider?
Just trying to wrap my mind around an unfamiliar topic. Thanks in advance.
Question:
“How do you approach security?” Answer:
Security should be part of the groundwork. It should be one of the first things you do when your being something like a CMS or an eCommerce site. In this day and age, everything must be protected or people will abuse its weakness. Question:
“Do you worry about it? If so, why?” Anwser:
You should always worry about security. as i stated above. Everything must be protected. Even if no important data is stored, it is still a must. People are always finding workarounds to a abuse weaknesses in websites. There is a simple rule when coding websites(well most anything), it is that you NEVER EVER trust the user. Always validate input. Always Always Always. Lets take a simple sign-up page for example. Now lets say you have linked the email input tag with a var in php. The var is then linked to a query, which is run in a database. Now what if the user enters a // or a */? these are both php comments so it can break your code and can even ruin the database completely. Never trust the user Question: If it’s not a site that deals with sensitive info like an eCommerce site, would you bother? Answer:
I kind of said this before. Even if the data is not sensitive, always check the users input. Never trust the user Question: To what extent is this handled by your hosting provider? Answer:
Most cases they only protect your login details for their service. They dont validate users input at all. It is up to you to make your website secure
Thanks Matthew, that definitely helps me understand things a little better. If you were creating a simple portfolio site with nothing but visuals and a contact form, what else would you worry about besides form input validation?
I had a couple of static sites - no contact forms, no user input at all - hacked on shared hosting. The hosting company was useless - insisted the problem must have been in my computer, not their server. (I’m equally certain it wasn’t.) Not long after that, I got Spam e-mail from their e-mail address. It was clear their e-mail had been hacked, yet when I reported it, they tried to tell me I was somehow at fault there, too. If I hadn’t already been looking for a new host, I would have been after that.
Things can go wrong - but you want to know at the very least that your host will help you deal with things if they do, and not simply fob you off.
(I also now set all file and directory permissions to read-only, wherever possible, don’t allow indexing of directories, etc…)