Do you know how secure your website is? - 17th November 2017

Website security is important. You might think your website has nothing that hackers might want, but many websites are not hacked to steal data. They are hacked for various reasons. This could be to host illegal content or to send spam emails or launch denial of service attacks on other websites.

So, the big question is, do you know how secure your website is? If the answer is no, then don’t panic. There are a few simple things you can do to check your website security and make it more secure.

How to check your Website Security

Are you using HTTPS

As a starting point you should check if your website is using HTTPS. To check simply go to your website, but type "https://" before the "www". If the page displays a message saying, "Your connection is not private" or "Your connection is not secure" instead of loading your website, then you are not using HTTPS. To use HTTPS, you need to have an SSL certificate installed. Many hosting providers charge for this, but you can get one for free from https://letsencrypt.org/ or https://www.sslforfree.com/. You might need the help of your web developer to install it and setup "http://" to redirect to "https://" though.

Check your HTTP Response Headers

The next thing you should check is your websites HTTP headers. HTTP Response Headers are used to pass information from the web server to the browser, but they can also pass information that is not required and can give out clues as to how the server is configured. These clues can aid an attacker target the web server.

To check your HTTP headers, go to the website https://securityheaders.io/ and enter your website address. Leave the "Follow redirects" option checked and if you don’t want the results to show, check the “Hide results” option. Click the "Scan" button and your website will be scanned, and the results will be shown.

The results are graded A+, A, B, C, D, E, F or R. A+ being the best, R being the worst. Below is a screenshot of the results for one of my websites.

Website results before adding missing HTTP headers

As you can see the website was graded D. The missing headers are displayed in red. After adding the missing headers and re-scanning the website it was graded A as shown in the screenshot below. You might notice the warning mentioning the grade is capped at A, this is because the website is not using HTTPS. If it was using HTTPS it would be possible to get an A+. Anything graded less than A and I recommend adding the missing headers. This can get complicated, so if you are not sure, you might want to ask your web developer.

Website results after adding missing HTTP headers

What the Headers mean

Server

This header returns details of the web server. Hackers can use this information to attack vulnerabilities in the web server. It is good practice to hide this information.

Strict-Transport-Security

This header is only applicable if you are using HTTPS (which you should really be using). It forces the browser to load any references from HTTP as HTTPS if available.

X-Content-Type-Options

This header prevents a browser from trying to determine the content type, this is called MIME-sniffing. This prevents hackers from using MIME type mismatch attacks.

X-Frame-Options

Clickjacking attacks involve using a frame to show a malicious content on your website. This header protects from clickjacking attacks by telling the browser how to display frames.

X-Xss-Protection

Cross site scripting (XSS) attacks are where a hacker executes malicious scripts on your website. The X-Xss-Protection header prevents malicious scripts from executing, therefore protecting your website from this type of attack.

Content-Security-Policy

This header protects from Cross Site Scripting (XSS) and data injection attacks. It allows you to specify the sources of content that the browser may load.

Referrer-Policy

This header allows you to set a referrer policy, which determines what is included in referral requests. This can prevent referral spoofing and cross-site request forgery attacks.

Are your passwords strong enough?

It is a good idea to use strong passwords, but how do you know if your password is strong enough? Fortunately, you can check easily using an online password strength checking tool such as https://www.my1login.com/resources/password-strength-test/. It is also recommended that you don’t use the same password more than once and make sure you change your passwords every so often.

Limiting the number of login attempts to your website is also good practice. And avoid sending forgotten passwords in email, use password reset functionality instead.

Conclusion

So now you know how secure your website is and some steps you can take to tighten up its security. Don’t rely on your hosting provider for your website security. Most providers will supply the website hosting space from a default setup and leave it up to you to make sure your website is secure. They will most likely charge to make any security improvements and all the hosting providers I have come across charge for an SSL certificate.

One final thing you should do is take regular backups of your website. If the worst does happen and your website does get hacked, then at least you have a backup to restore it from.

Note: Screenshots taken from https://securityheaders.io/.

About Paul Jacques

I’m Paul Jacques a Bradford, West Yorkshire based freelance web designer and developer. I aim to help you get the most from your website by providing affordable, search engine optimised, fast loading, mobile friendly and most importantly, secure websites.

Find out more about how I can help you

Back to Blog