As internet usage increased over the past decade, so have the instances of cybercrime. The FBI’s Internet Crime Complaint Center reported that $3.5 billion was lost to cybercrime globally in 2019 alone. As a result, users now understandably expect websites to take security seriously if they’re going to hand over their personal information. According to GlobalSign research, 48% of visitors check for security indicators on a website before giving any personal information, while just 2% said they never pay attention to security. It’s clear that if you want to gain your user’s confidence, you’ll need to be secure. Here’s how:
Page Encryption and HTTPS
HyperText Transfer Protocol, or HTTP, has long been the primary system for transferring information between a website and its user. However, HTTP has also been found to be highly insecure, easily enabling hackers to steal your user’s data. HyperText Transfer Protocol Secure (HTTPS) keeps this information safe from interference by encrypting your page in a sea of symbols impenetrable to hackers, but HTTPS doesn’t work alone. It needs a TLS, or Transport Layer Security certificate (formerly an SSL certificate). The TLS certificate performs the actual encrypting and serves as the encryption key shared solely with the user. Here’s how it works:
- The user types in your secure web address
- The user’s browser asks for your site’s TLS certificate
- Your site complies and sends over a decryption code
- Once the user’s browser accepts, encrypted data is sent to the user
The most common type of TLS certificate is the extended validation certificate, which provides details such as the site’s ownership and geographic location. There’s also the domain validated certificate, which keeps identity and location secret, and the organization validated certificate, which includes additional details. Once a TLS certificate is installed, the process runs on its own with no additional effort on your part. With HTTPS in place, you’ll not only get added security, but you’ll also get a boost in your search rankings, as HTTPS has become a top priority for Google.
Mixed content occurs when both HTTP and HTTPS code is loaded to display on the same page, creating both secure and insecure elements of your page. Most modern browsers will block this content or display a warning when encountering mixed content — a red flag for users. To prevent mixed content from occurring, review your site’s code to make sure all elements and redirects are loaded with HTTPS only.
Flash Vs. HTML5
Flash was once the standard for web animation, but it’s time and usefulness are fast running out, with Adobe, Google Chrome, and Firefox announcing they will no longer support Flash. The death knell for Flash began with the publication of Steve Jobs’ “Thoughts On Flash,” where he criticized Flash’s incompatibility with Apple’s iOS. YouTube’s switch from Flash to HTML5 all but finished the job. Flash animation burdens users to download the latest update and runs slowly by today’s standards. But perhaps the biggest problem with Flash is that it operates as an image, so text within a video won’t be picked up by Google’s search engines.
In contrast, HTML5 performs the same functions as Flash with faster speeds and universal browser compatibility. HTML5 also allows you to incorporate text, images, and interactive buttons to your videos, a feature unavailable in Flash. Do yourself a favor and ditch Flash in favor of HTML5. Nothing says an outdated website more than the presence of Flash animation.
Similarly, you’ll want to avoid other types of outdated technology used on your site. Outdated technology often fails to update current security measures and could easily serve as an easy entryway for hackers.
Proactive Security Policy
You don’t want to wait until something goes wrong until you start taking security seriously. A security breach has the potential to ruin your reputation, lose customers, and cost you money. You can develop a proactive security policy first by training your staff to abide by secure best practices, such as avoiding suspicious links and keeping passwords long, varied, and difficult to guess.
In terms of the backend, there are a few options to ensure your security goes above and beyond what most sites offer. Attackers often target the X-Powered-By header by disabling the header and launching attacks against the vulnerable website or app. X-Frame options can help protect against clickjacking, the practice of hackers inserting false iframes that lead unwitting users off your page. Inserting an X-Frame option in your header prevents your web from rendering certain elements of a web, such as iframes. Programs such as Helmet provide a one-stop-shop for appropriate HTTP headers that protect web applications.