Security Should Be Website Job #1
Website design, responsiveness, apps, performance, and cloud are the sexy topics these days. They get a lot of attention and we’ve helped hundreds of customers accomplish each of them. But whenever we are working directly with business customers or in partnership with another developer, we always make sure that website security is in the must-have list. For us, it’s just not an option … it has to be a top priority.
Having those kinds of conversations has become easier over the years. We’ve been writing and “preaching” about website security for years in our blog and through our series of white papers and resource guides. And every time the evening newscast leads with a story about a data breach or hacked website, the need to include security processes and practices in all aspects of website planning and maintenance becomes clearer. Fortunately, DNN is a great platform for implementing website security protocols. But where should you start?
Begin With SSL
Secure Socket Layer (SSL) is a two-way encryption method that ensures that the site visitor and the website itself are the only ones participating in the conversation. The privacy of this conversation is ensured by a trusted, neutral third party – the Certificate Authority (CA) – that verifies the identity of the website so they can establish a secure, encrypted connection.
We did some research for our SSL implementation white paper a few months ago, and we found that 67% of all active websites do not even implement the most basic levels of encryption. This one fact alone is astounding – especially since Google implemented search penalties for unprotected websites earlier this year. Other large browsers and search companies quickly followed suit.
Key Takeaway: Implementing SSL security is no longer just a solid security best practice, it’s a business and marketing imperative.
SSL Certificates Are Not as Difficult as They Used to Be
Fortunately, acquiring an SSL certificate has become relatively easy. There are dozens of CA companies who can help, including global providers Symantec and VeriSign, among others. In fact, the last few years has seen the rise of open source and community-supported CA projects as well. For example, LetsEncrypt.org is a community-supported CA that provides SSL certificates at no charge. It is sponsored by developers and business owners – people like you and us – and also by some of the biggest tech companies around. Corporate sponsors include Facebook, Google, Shopify, Automatic, Mozilla, and dozens of others – so the service has the kind of backing it needs to remain a great resource.
Best Practices for Implementing SSL Encryption
Once you have acquired your SSL certificate, here’s what you need to do:
- Install your certificate as per platform instructions.
- Test all page content for mis-matches – This means to ensure that all site content is secured by SSL, and there are tools to help you do this.
- Force all pages to use SSL – In DNN you will find a setting to help you achieve this.
- Set redirects – Links to previously unencrypted pages need to redirect to their newly encrypted counterparts.
- Implement Strict Transport Security – prevents browsers from automatically lowering standards on certain requests.
- Use Google Fetch via the Search Console – When going from non-encrypted connections to SSL, Google interprets this as a site migration even if the site has not moved from one server to another. This action will keep your analytics data and alerts functioning properly.
Key Takeaway: Acquiring and installing your SLL certificate is not enough. Your site can still be unsecure, incur liability, and suffer search penalties unless you implement security best practices.
Detailed Instructions, Code Samples, and Additional Security Best Practices
We have created a complete set of detailed instructions for each best practice listed above – including code samples – and put them in our white paper, titled “SSL Implementation and Website Security Best Practices.” In addition, it details three more best practices for basic website security beyond SSL. We have made this white paper available as a free resource to the community.
On our IowaComputerGurus white paper page you will find this paper along with several other free guides and white papers covering DNN, DNN EVOQ, ASP.NET, and MVC Core development topics. And as always, if you have any questions or need any help implementing SSL or other website security protocols … just ask. We are always happy to help.