Web Security Coding Tips

"Because all the firewalls in the world can't protect you from yourself."

  1. Never pass user-entered text as shell parameters!

  2. Don't do "dumb" reads of input into memory. Limit number of characters you read into buffers.

  3. Don't assume the user has used the front-end to your pages.

  4. Validate all information passed in again and again.

  5. Never assume the client has used any client-side validation.

  6. Don't let users hijack your site--replace all potentially troublesome HTML characters before displaying them in HTML pages.

  7. SQL is dangerous--never pass in unchecked text as an SQL statement!

  8. Don't expose your source code.

  9. Don't expose structure of your SQL.

  10. Don't expose your error messages.

  11. Send e-mail messages for all unexpected conditions to your developers.

  12. Disallow directory browsing and understand which files your web server will make accessible.

  13. Basic password authentication isn't secure.

  14. Turn off web server features you're not using.

  15. Know what's happening behind the scenes!


Alan Eliasen, eliasen@mindspring.com
Back to Alan's Home Page