As internet usage increased over the past decade, so have the instances of cybercrime. The FBI’s Internet Crime Complaint Center reported that $3.5 billion was lost to cybercrime globally in 2019 alone. As a result, users now understandably expect websites to take security seriously if they’re going to hand over their personal information. According to GlobalSign research, 48% of visitors check for security indicators on a website before giving any personal information, while just 2% said they never pay attention to security. It’s clear that if you want to gain your user’s confidence, you’ll need to be secure. Here’s how:
Page Encryption and HTTPS
HyperText Transfer Protocol, or HTTP, has long been the primary system for transferring information between a website and its user. However, HTTP has also been found to be highly insecure, easily enabling hackers to steal your user’s data. HyperText Transfer Protocol Secure (HTTPS) keeps this information safe from interference by encrypting your page in a sea of symbols impenetrable to hackers, but HTTPS doesn’t work alone. It needs a TLS, or Transport Layer Security certificate (formerly an SSL certificate). The TLS certificate performs the actual encrypting and serves as the encryption key shared solely with the user. Here’s how it works:
- The user types in your secure web address
- The user’s browser asks for your site’s TLS certificate
- Your site complies and sends over a decryption code
- Once the user’s browser accepts, encrypted data is sent to the user
The most common type of TLS certificate is the extended validation certificate, which provides details such as the site’s ownership and geographic location. There’s also the domain validated certificate, which keeps identity and location secret, and the organization validated certificate, which includes additional details. Once a TLS certificate is installed, the process runs on its own with no additional effort on your part. With HTTPS in place, you’ll not only get added security, but you’ll also get a boost in your search rankings, as HTTPS has become a top priority for Google.
Mixed content occurs when both HTTP and HTTPS code is loaded to display on the same page, creating both secure and insecure elements of your page. Most modern browsers will block this content or display a warning when encountering mixed content — a red flag for users. To prevent mixed content from occurring, review your site’s code to make sure all elements and redirects are loaded with HTTPS only.
Flash Vs. HTML5
Flash was once the standard for web animation, but it’s time and usefulness are fast running out, with Adobe, Google Chrome, and Firefox announcing they will no longer support Flash. The death knell for Flash began with the publication of Steve Jobs’ “Thoughts On Flash,” where he criticized Flash’s incompatibility with Apple’s iOS. YouTube’s switch from Flash to HTML5 all but finished the job. Flash animation burdens users to download the latest update and runs slowly by today’s standards. But perhaps the biggest problem with Flash is that it operates as an image, so text within a video won’t be picked up by Google’s search engines.
In contrast, HTML5 performs the same functions as Flash with faster speeds and universal browser compatibility. HTML5 also allows you to incorporate text, images, and interactive buttons to your videos, a feature unavailable in Flash. Do yourself a favor and ditch Flash in favor of HTML5. Nothing says an outdated website more than the presence of Flash animation.
Similarly, you’ll want to avoid other types of outdated technology used on your site. Outdated technology often fails to update current security measures and could easily serve as an easy entryway for hackers.
Proactive Security Policy
You don’t want to wait until something goes wrong until you start taking security seriously. A security breach has the potential to ruin your reputation, lose customers, and cost you money. You can develop a proactive security policy first by training your staff to abide by secure best practices, such as avoiding suspicious links and keeping passwords long, varied, and difficult to guess.
In terms of the backend, there are a few options to ensure your security goes above and beyond what most sites offer. Attackers often target the X-Powered-By header by disabling the header and launching attacks against the vulnerable website or app. X-Frame options can help protect against clickjacking, the practice of hackers inserting false iframes that lead unwitting users off your page. Inserting an X-Frame option in your header prevents your web from rendering certain elements of a web, such as iframes. Programs such as Helmet provide a one-stop-shop of appropriate HTTP headers to protect web applications.
When a user visits a website, a packet of information is sent from the website to be stored on their computer. These packets of information are known as cookies and can be used to help business owners keep track of the user’s behavior on the site. For example, if a user places an item in their shopping cart, cookies enable the item to stay in the cart, even if the user clicks off the page. Cookies can also be used to keep a record of a user’s most recent visit or to record login information, making it so users don’t need to remember their password every time they visit the site. While cookies are used as a catch-all term, there are different types of cookies that perform different tasks and pose varying levels of security risks.
Session cookies are used to track a user’s behavior only when they actively navigate the website. Once they leave the site, the session cookie disappears. As a result, these cookies pose a lower security risk than more long-term cookies. Typically, session cookies are used to power e-commerce shopping carts and to control webpage elements during a user’s multi-page visit.
Persistent cookies are more long-term cookies that are tagged with an expiration date. These cookies are stored on a user’s browser even after they exit the site and are reused whenever the user returns to the site. These cookies can be used to track user’s online behavior beyond the site that issued the cookie, as long as it includes a resource issued by the original site. For example, clicking on an ad will enable the original cookie to track the user when they visit the ad’s site. This is the method that Google and Facebook use to create comprehensive logs of user behavior. Another example of a persistent cookie is the remember me option on most sites. The cookie enables the website to remember the user’s login information every time they visit the site.
First-Party vs. Third-Party Cookies
First-party cookies are those created by the site the user visits. This includes session and persistent cookies such as remembering user login information. In contrast, third-party cookies are those added by a domain from outside the site, such as an ad. The most common use of third-party cookies is tracking users who click on advertisements and associate them with the referring website. While third-party cookies are an omnipresent part of the modern internet and necessary to a degree, they also pose the highest security risk.
Cookie Consent Platform
- If you allow paid advertisements or affiliate links on your site, you must disclose this information.
There are a few tools available to set up cookie consent platforms, such as Cookiefirst and Osano, which is open source. Tools like these ensure that you stay on the right side of the law regarding your cookie usage inside and outside the US. You can also use services such as Rocket Lawyer to create free customized privacy policies for your site.
3. Data Collection
According to a Pew Research poll, 79% of Americans said they were concerned about how their personal data is collected. And with high-profile data breaches like Equifax causing further concern, it’s extra important that you take your user’s data collection seriously.
You’re responsible for protecting the passwords entered by your user. The best way to prevent hackers from accessing these passwords is to make sure your login pages are secured with HTTPS. Hackers can extract a password from non-secure HTTP pages, leaving your user’s information free to steal. Make sure all login forms are on HTTPS, especially those asking for any Personal Identifiable Information (PII) from your users.
If you want to go the extra mile, your site could also require 2-step authentication, which involves the user receiving a text message or email containing a code. The user then enters the code, along with their password, before they can access the site. You’ll need to evaluate whether this extra step is worth the effort on both you and the user’s end. But 2-step authentication can be effective, especially when users are providing important PII such as Social Security numbers.
- Allow pasting for input boxes, such as passwords — pasting makes web forms work well with password managers and reduces password overload.
- Explain how and why you collect data.
- Require individuals to give consent for their information to be collected and used.
- Explain consent in clear, unambiguous language.
- Explain to your users that they have the right to withdraw consent.
- Inform users which companies their data will be shared with, if any.
- Ensure all personally identifiable information is encrypted and not located within your database.
- Update your antivirus software, firewall, and malware protection.
- Create an emergency plan in the case of a data breach.
4. External Dependencies
When developers create new websites and apps, they regularly blend new code with pre-existing code using third-party libraries, known as external dependencies. Using third-party libraries can be a quick and easy way for developers to build websites and apps without the time-consuming task of creating new code. But you should be aware that using third-party libraries means giving up some degree of control, which could come with some security risks. There’s no guarantee that a third-party application regularly updates its security measures and there’s often no way to tell, especially if the library is not open-source. But that doesn’t mean you shouldn’t use third-party libraries at all.
- Use popular third-party libraries that have a large supporting community. These libraries tend to make regular updates and communicate with their community. You’ll also have fellow users to ask questions or express concerns.
- Use open-source libraries that provide access to the source code so you can identify any issues with quality or security loopholes.
- Make sure your chosen third-party libraries contain the correct licenses and specifications for whatever you intend to use the library for.