Security Information and Review

Collection of security information and review

Best Practices to Build Web Application More Secure

Author : Admin

In this discussion, we will learn best practices to build web application more secure, such as tips and tricks. In the previous discussion, we have learned how to protect web application files but overall protect web application in every sections. We will discuss a set of best practices that if practiced will result in better security for our web applications.

In our web applications, we often use authentication information to restricted access to our applications. The best practices for this situation is store authentication data way from the web document tree and make sure our application read authentication related files from outside the web document tree. So, with this practice, these files are not browseable via web. We also ensure no other user should have access to these files.

If we cannot store authentication files outside our web document tree for some reasons,, we must ensure the authentication files are not browseable via the web. We can be done by using file extensions and restricting the extensions from being served by the web server. Find more information how to protected with this option at How to Protect Web Application Files.

In the our web application, we must change permission files with CHMOD if we use *nix operating system. We must set permission of PHP files in our web application to 600, .htpasswd files to 640, .htaccess files to 644 and if we don’t want people to see as 400.

When we are using databases in our web applications, we always ensure to create a limited privilege user by following our database administration guide. This user should be allowed to only access the specific database that our application needs to access.

Other the best practice to build our application more secure, we must see our application errors before someone else does. With these errors, an attacker use error information to debug of a broken application and get more holes. If we use PHP as server side scripting in our web application, we can use error_reporting() function at every first line in our application. See more detail about this function in the following code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
 
<?php
 
// Turn off all error reporting
error_reporting(0);
 
// Report simple running errors
error_reporting(E_ERROR | E_WARNING | E_PARSE);
 
// Reporting E_NOTICE can be good too (to report uninitialized
// variables or catch variable name misspellings ...)
error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);
 
// Report all errors except E_NOTICE
// This is the default value set in php.ini
error_reporting(E_ALL ^ E_NOTICE);
 
// Report all PHP errors (see changelog)
error_reporting(E_ALL);
 
// Report all PHP errors
error_reporting(-1);
 
// Same as error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
 
?>

When we have an application that sould be used by only restricted set of users, we can use web server access control mechanism. If we use PHP, we can control access to the application PHP authentication technique or limited by user in our database.

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
best security tricks thanks to share with me
18 October 09 at 22:09
thank's for visiting
20 October 09 at 14:44
If you like this posts, please leave messages / comments.