Your website is a critical component of your business. It provides access to your services and visibility for your products. However, cyber threats can compromise your website, harming your business operations, revenue and reputation. To reduce the likelihood and impact of threats, you should develop and maintain your website with security in mind. This publication provides some security and privacy protection measures to get you started.
On this page
- Common threats to websites
- Developing and managing your website securely
- Reporting a cyber incident
- Learn more
Common threats to websites
Beware of the following common threats when developing and maintaining your website.
Injection attack
Injection attack is a general term for any exploitation in which a threat actor presents an untrusted input, such as malicious code, into a system to modify operations or data.
Common examples of injection attacks include:
- Structured query language (SQL) injection: SQL injection occurs when a threat actor inputs malicious code in the SQL statements through web page input. This typically happens when your website asks a user to log in or provide information. SQL statements manage the database server and, if successful, the threat actor can bypass authentication measures.
- Cross-site scripting (XSS): A threat actor uses XSS to compromise a web server and inject malicious code into trusted websites. When users visit the website, their browsers execute the script, putting cookies, session tokens, or sensitive information at risk. XSS attacks exploit the trust that a user has in a website.
Cross-site request forgery attack
Cross-site request forgery (CSRF) is an attack that tricks users into executing unwanted actions in their browsers, such as logging out, downloading account information or uploading a site cookie. CSRF attacks exploit the trust that a website has in a user’s browser.
Denial-of-service attack
A denial-of-service attack aims to overwhelm a website with unnecessary traffic. This floods the server and can make services unavailable to actual users. A distributed denial-of-service (DDoS ) attack uses multiple bots or botnets on a single target to cause an even greater disruption.
Adversary-in-the-middle attack
Adversary-in-the-middle (AitM) is an attack that intercepts the communication between two systems. This could be between a user and website server. The intention is to steal or change data within that communication. The threat actor can pretend to be one or both legitimate communicating parties to gain access to sensitive information. They can insert themselves between the two parties and alter communications. Use of certificate-based Hypertext Transfer Protocol Secure (HTTPS) will validate your website to users and establish a confidential channel to mitigate AitM attacks.
Malware attack
Any attack that distributes malicious software to cause harm, spread infections, or steal sensitive data. Malware can hide and linger on your website unnoticed and can negatively impact any user that visits your site. Examples of malware include viruses, trojans, ransomware and keyloggers.
Credential stuffing attack
A credential stuffing attack happens when threat actors use previously stolen credentials to try to log into an account. They continue their attempts until a match is found.
If your website is compromised, your organization is not the only one at risk; threat actors can also target your supply chain, affiliated organizations, and customers. To learn more about risks to supply chains, see Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070) and The cyber threat from supply chains.
Brute force attacks
Brute force attacks are when threat actors use excessive login attempts with any number of character combinations to log into a system or network.
Impact of artificial intelligence
Artificial intelligence (AI) is a fast-growing and complex technology that can increase website functionality but can also complicate and challenge common cyber security measures. AI and generative AI can be used by threat actors to intensify website attacks by quickly creating code, extracting large amounts of data, and spreading malware. However, AI can also boost security measures against these attacks.
This publication does not go into detail about AI, but it is important to stay well informed about AI’s development. Consult our guidance on artificial intelligence to learn more.
Developing and managing your website securely
Your website is the gateway between the Internet and your organization. Threat actors can exploit website vulnerabilities and misconfigurations to steal, alter, or delete sensitive data. This includes:
- vendor portals
- customer data
- sales leads
- operational and financial information
Stay one step ahead by reviewing the following aspects of your website. If you’re using a web service, you should discuss each of the topics below with your service provider.
Secure your web architecture
Secure your website’s architecture, including its elements, relationships, selected components and design principles. You should also apply principles like segregation and redundancy.
Segregate your web service components. If one component is compromised, the other components are protected because they have been segregated. You should also segregate your application server and database to protect sensitive data.
You should design your website to add redundancies in your web service components (replicate them). With redundancies, you can ensure that your operations continue if one component fails.
Require the use of HTTPS by default on your website and configure Transport Layer Security (TLS) to be used between all web service components. This ensures that sensitive data, like authentication data and propriety information, is encrypted in transit. HTTPS uses the TLS protocol to encrypt and authenticate web page visits.
Implement strong authentication
Authentication refers to the mechanisms used to validate a user’s identity.
Implement a strong password and passphrase policy that includes multi-factor authentication (MFA) for additional security. Never send passwords in plaintext over the Internet. Instead, use hashes and encryption .
Hashing is a one-way function. It involves converting the data into a unique, fixed-length hash value. Hashing is a key component of cryptographic techniques used by browsers and systems to protect the integrity of transmitted data.
Encryption is scrambling data in a certain way that only someone with the corresponding key can decipher it. This is a two-way function. Encryption makes use of a cipher, a type of algorithm, to scramble the data.
After a threshold of unsuccessful login attempts or other suspicious behaviour, lock accounts and delay logins. Ensure you have a secure account recovery process. See Developing your IT recovery plan (ITSAP.40.004) to learn more.
Define access control
Access controls define who can access what resources on your website and restrict what information they can see and use. Define specific access controls and implement the principle of least privilege to ensure that users only have the access needed to carry out their authorized functions.
Consider all web application access control layers, such as the Open Systems Interconnection (OSI) model’s application and presentation layers, data layer and network layer. Consider using the following types of permissions:
- URL based
- file system and server
- application business logic (what the user can do)
Identify access control layers in your coding standards and rigorously test them before deploying your web services.
Assess your service providers
If using a service provider, you may not have access to the infrastructure or control over the associated security functions. However, even when using a service provider, your organization is still legally responsible for protecting the confidentiality and integrity of your data.
Before contracting a service provider, review their data security and privacy protection capabilities and policies. Clearly define your organization’s and your service provider’s roles and responsibilities regarding security. You can use the sections in this document to guide your discussion with a service provider on their security capabilities.
Validate inputs
Input validation is the process of verifying that users and applications can only input properly formed data, such as in fields, forms, or queries.
All inputs on your website should be considered untrusted. Validate inputs within your web services, including:
- client browsers
- web application firewalls
- web servers
- databases
- application business logic
You should validate inputs as early as possible during the process to reduce strain on your servers. Test input validation during your development process.
Inputs should also be controlled. Enforce expected input lengths to prevent invalid values and limit free-form inputs to minimize the risk of script injection. Hide SQL error messages from end users, as these messages contain valuable information about your database.
Review your security configurations
Although vendor recommended security configurations generally provide a good baseline, these defaults may not provide the level of security needed to protect your systems and data from cyber threats. Be sure to review configurations to identify any vulnerabilities such as:
- unused ports or web services
- unprotected files
- unprotected directories
You should turn off directory browsing, as it provides insight on your website’s structure. Remove any unnecessary web operation files, such as source code or backup files that could contain passwords.
Deactivate browser credential caching. Although credential caching is convenient for users, it can put sensitive information at risk.
You should implement configuration management to promote secure coding and maintain baselines across your organization.
Manage your sessions securely
A session is an exchange of information between two or more entities, such as two devices or a user and a web server. Session management is the process of initiating, controlling, maintaining, and ending these exchanges. If sessions aren’t managed securely, threat actors can interrupt or hijack sessions to intercept data or impersonate authenticated users.
Randomize your session identifiers to prevent threat actors from inferring session identifier sequences. Session identifiers should have an acceptable minimum length to protect against brute force attacks.
Store sensitive session tracking data on web service servers with an appropriate retention period and destroy it at the expiry date. Expire session data when a user logs out or is inactive for a specified time.
Session cookies, also known as in-memory cookies, allow users to be recognized while they navigate the website, for example, items will stay in their carts while they’re shopping. Use the secure cookie attribute to prevent cookies from being sent over an unencrypted channel.
Secure your operations
Once your website is running, you need to prevent, identify, and respond to cyber threats and incidents. If possible, you should continuously monitor website activity for anomalous behaviours, such as repeated login or injection attempts. For example, in credential stuffing attacks, threat actors use leaked or stolen credentials and “stuff” them into login pages of other websites until matches are found.
To promote the ongoing security and functionality of your web services, implement a patch management process to acquire, test, and install patches and updates on your systems and devices. Be sure to patch underlying systems, content management systems, web applications and plug-ins. Include a security.txt file on your website. It provides a clear and standardized way for security researchers to report vulnerabilities. Security .txt files ensure that critical issues are communicated promptly and securely to your organization. This proactive approach helps protect your users and your organization by facilitating faster responses to potential threats.
You should also promote security awareness within your organization and with your customers. By being transparent about the steps that you are taking to protect data, you can foster trust with your partner organizations, supply chain and customers.
Reporting a cyber incident
If your organization is a victim of fraud, contact your local police and file a report online through the Canadian Anti-Fraud Centre’s online reporting system or by phone at 1-888-495-8501. Report cyber incidents online via the Cyber Centre’s My Cyber Portal.
Learn more
- Security considerations for your website (ITSM.60.005)
- Website defacement (ITSAP.00.060)
- Managing and controlling administrative privileges (ITSAP.10.094)
- Secure your accounts with multi-factor authentication (ITSAP.30.030)
- Protecting your organization against denial of service attacks (ITSAP.80.100)
- Distributed denial-of-service attacks—prevention and preparation (ITSAP.80.110)
- Protect your organizations from malware (ITSAP.00.57)
- Identity, credential, and access management (ICAM) (ITSAP.30.018)
- Top 10 Web Application Security Risks (Open Worldwide Application Security Project)