Brief Best Practices for Website Security
A hacked website represents a company that is not only closed for business, but also subject to potential finger-wagging in the media. As of 2019, every single website should be secured with an SSL certificate—at a minimum. There are more and more resources that offer free SSL certificates and the installation of these certificates is getting easier and easier to accomplish, even for the lay person.
There are other best practices and recommended settings that companies of any size should follow, and those will be outlined below. This blog post is by no means comprehensive and your organization’s needs may differ from what is described below. For a unique assessment of your business’ approach to your website security setup and your organization’s overall security posture, please reach out to BizzSecure using the chat box in the bottom right-hand corner of your screen.
Setting a minimum TLS version of TLS 1.1, for example, can help ensure that your website can become compliant with PCI DSS 3.2. The minor drawback is that visitors must connect to your website using TLS 1.1 (or 1.2 or 1.3). If they are using TLS 1.0, the site will fail to connect. The good news is that most modern browsers have had support for TLS 1.1 beginning in late 2012. By enabling even more modern cryptographic protocols, such as TLS 1.3, your site can leverage a setting called 0-RTT—this feature allows for faster connection times, especially for repeat website visitors.
One other feature that improves security, but must be implemented correctly to avoid frustrating users, is the enablement of HTTP Strict Transport Security, more commonly known by the acronym of HSTS. HSTS is a header that helps enable strict security policies in a visitor’s web browser. In so many words, it instructs the visitor’s web browser to ask for your site by HTTPS (always) and even goes so far as to establish a duration for this instruction. In human-readable terms, the website teaches visiting browsers, “In future visits, always request the site by HTTPS and always remember to do this for the next 12 months.” The frustrating consequences are that if your organization removes HSTS for any reason after say the first month, browsers will remember that they were told to always request the site by a certain secure mode and to do that for 12 months. Your site cannot be visited by those users for 11 remaining months, unless the HSTS settings are reinstated. Clearly, there is careful planning to be done before implementing this powerful header that helps ensure that downgrade attacks cannot occur.
When it comes to technology changes, it is always best to measure twice, cut once. Development or test servers are handy to mimic the production environment before pushing out a change that could have drastic effects on your business operations, even if done for all the right reasons to improve security. BizzSecure is here to help ensure that your website security is ready for the threats of today while future-proofed for tomorrow’s challenges as well.