Security considerations when developing and managing your website (ITSAP.60.005)

Your website is a critical component of your business. It provides access to your services and visibility for your products. However, cyber threats can compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. your website, harming your business operations, revenue and reputation. To reduce the likelihood and impact of threats, you should develop and maintain your website with security in mind. This publication provides some security and privacy protection measures to get you started.

On this page

Common threats to websites

Beware of the following common threats when developing and maintaining your website.

Injection attack

Injection attack is a general term for any exploitation in which a threat actor presents an untrusted input, such as malicious code, into a system to modify operations or data.

Common examples of injection attacks include:

  • Structured query language (SQL) injection: SQL injection occurs when a threat actor inputs malicious code in the SQL statements through web page input. This typically happens when your website asks a user to log in or provide information. SQL statements manage the database server and, if successful, the threat actor can bypass authentication measures.
  • Cross-site scripting (XSS): A threat actor uses XSS to compromise a web server and inject malicious code into trusted websites. When users visit the website, their browsers execute the script, putting cookies, session tokens, or sensitive information at risk. XSS attacks exploit the trust that a user has in a website.

Cross-site request forgery attack

Cross-site request forgery (CSRF) is an attack that tricks users into executing unwanted actions in their browsers, such as logging out, downloading account information or uploading a site cookie. CSRF attacks exploit the trust that a website has in a user’s browser.

Denial-of-service attack

A denial-of-service attack Denial-of-Service attackAny activity that makes a service unavailable for use by legitimate users, or that delays system operations and functions. aims to overwhelm a website with unnecessary traffic. This floods the server and can make services unavailable to actual users. A distributed denial-of-service (DDoS DDOSSee Distributed denial-of-service attack. ) attack uses multiple bots or botnets on a single target to cause an even greater disruption.

Adversary-in-the-middle attack

Adversary-in-the-middle (AitM) is an attack that intercepts the communication between two systems. This could be between a user and website server. The intention is to steal or change data within that communication. The threat actor can pretend to be one or both legitimate communicating parties to gain access to sensitive information. They can insert themselves between the two parties and alter communications. Use of certificate-based Hypertext Transfer Protocol Secure (HTTPS) will validate your website to users and establish a confidential channel to mitigate AitM attacks.

Malware attack

Any attack that distributes malicious software to cause harm, spread infections, or steal sensitive data. Malware MalwareMalicious software designed to infiltrate or damage a computer system, without the owner's consent. Common forms of malware include computer viruses, worms, Trojans, spyware, and adware. can hide and linger on your website unnoticed and can negatively impact any user that visits your site. Examples of malware include viruses, trojans, ransomware RansomwareA type of malware that denies a user's access to a system or data until a sum of money is paid. and keyloggers.

Credential stuffing attack

A credential stuffing attack happens when threat actors use previously stolen credentials to try to log into an account. They continue their attempts until a match is found.

If your website is compromised, your organization is not the only one at risk; threat actors can also target your supply chain, affiliated organizations, and customers. To learn more about risks to supply chains, see Cyber supply chain security for small and medium-sized organizations (ITSAP.00.070) and The cyber threat from supply chains.

Brute force attacks

Brute force attacks are when threat actors use excessive login attempts with any number of character combinations to log into a system or network.

 

Impact of artificial intelligence

Artificial intelligence Artificial intelligenceA subfield of computer science that develops intelligent computer programs to behave in a way that would be considered intelligent if observed in a human (e.g. solve problems, learn from experience, understand language, interpret visual scenes). (AI) is a fast-growing and complex technology that can increase website functionality but can also complicate and challenge common cyber security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. measures. AI and generative AI can be used by threat actors to intensify website attacks by quickly creating code, extracting large amounts of data, and spreading malware. However, AI can also boost security measures against these attacks.

This publication does not go into detail about AI, but it is important to stay well informed about AI’s development. Consult our guidance on artificial intelligence to learn more.

Developing and managing your website securely

Your website is the gateway GatewayAn intermediate system that is the interface between two computer networks. A gateway can be a server, firewall, router, or other device that enables data to flow through a network. between the Internet and your organization. Threat actors can exploit website vulnerabilities and misconfigurations to steal, alter, or delete sensitive data. This includes:

  • vendor portals
  • customer data
  • sales leads
  • operational and financial information

Stay one step ahead by reviewing the following aspects of your website. If you’re using a web service, you should discuss each of the topics below with your service provider.

Secure your web architecture

Secure your website’s architecture, including its elements, relationships, selected components and design principles. You should also apply principles like segregation and redundancy.

Segregate your web service components. If one component is compromised, the other components are protected because they have been segregated. You should also segregate your application server and database to protect sensitive data.

You should design your website to add redundancies in your web service components (replicate them). With redundancies, you can ensure that your operations continue if one component fails.

Require the use of HTTPS by default on your website and configure Transport Layer Security (TLS) to be used between all web service components. This ensures that sensitive data, like authentication AuthenticationA process or measure used to verify a users identity. data and propriety information, is encrypted in transit. HTTPS uses the TLS protocol to encrypt and authenticate web page visits.

Implement strong authentication

Authentication refers to the mechanisms used to validate a user’s identity.

Implement a strong password and passphrase policy that includes multi-factor authentication Multi-factor authenticationA tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication. (MFA) for additional security. Never send passwords in plaintext PlaintextUnencrypted information. over the Internet. Instead, use hashes and encryption EncryptionConverting information from one form to another to hide its content and prevent unauthorized access. .

Hashing is a one-way function. It involves converting the data into a unique, fixed-length hash value. Hashing is a key component of cryptographic techniques used by browsers and systems to protect the integrity IntegrityThe ability to protect information from being modified or deleted unintentionally or when it’s not supposed to be. Integrity helps determine that information is what it claims to be. Integrity also applies to business processes, software application logic, hardware, and personnel. of transmitted data.

Encryption is scrambling data in a certain way that only someone with the corresponding key can decipher it. This is a two-way function. Encryption makes use of a cipher, a type of algorithm, to scramble the data.

After a threshold of unsuccessful login attempts or other suspicious behaviour, lock accounts and delay logins. Ensure you have a secure account recovery process. See Developing your IT recovery plan (ITSAP.40.004) to learn more.

Define access control

Access controls define who can access what resources on your website and restrict what information they can see and use. Define specific access controls and implement the principle of least privilege Least privilegeThe principle of giving an individual only the set of privileges that are essential to performing authorized tasks. This principle limits the damage that can result from the accidental, incorrect, or unauthorized use of an information system. to ensure that users only have the access needed to carry out their authorized functions.

Consider all web application access control Access controlCertifying that only authorized access is given to assets (both physical and electronic). For physical assets, access control may be required for a facility or restricted area (e.g. screening visitors and materials at entry points, escorting visitors). For IT assets, access controls may be required for networks, systems, and information (e.g. restricting users on specific systems, limiting account privileges). layers, such as the Open Systems Interconnection (OSI) model’s application and presentation layers, data layer and network layer. Consider using the following types of permissions:

  • URL based
  • file system and server
  • application business logic (what the user can do)

Identify access control layers in your coding standards and rigorously test them before deploying your web services.

Assess your service providers

If using a service provider, you may not have access to the infrastructure or control over the associated security functions. However, even when using a service provider, your organization is still legally responsible for protecting the confidentiality ConfidentialityThe ability to protect sensitive information from being accessed by unauthorized people. and integrity of your data.

Before contracting a service provider, review their data security and privacy protection capabilities and policies. Clearly define your organization’s and your service provider’s roles and responsibilities regarding security. You can use the sections in this document to guide your discussion with a service provider on their security capabilities.

Validate inputs

Input validation is the process of verifying that users and applications can only input properly formed data, such as in fields, forms, or queries.

All inputs on your website should be considered untrusted. Validate inputs within your web services, including:

  • client browsers
  • web application firewalls
  • web servers
  • databases
  • application business logic

You should validate inputs as early as possible during the process to reduce strain on your servers. Test input validation during your development process.

Inputs should also be controlled. Enforce expected input lengths to prevent invalid values and limit free-form inputs to minimize the risk of script injection. Hide SQL error messages from end users, as these messages contain valuable information about your database.

Review your security configurations

Although vendor recommended security configurations generally provide a good baseline, these defaults may not provide the level of security needed to protect your systems and data from cyber threats. Be sure to review configurations to identify any vulnerabilities such as:

  • unused ports or web services
  • unprotected files
  • unprotected directories

You should turn off directory browsing, as it provides insight on your website’s structure. Remove any unnecessary web operation files, such as source code or backup files that could contain passwords.

Deactivate browser credential caching. Although credential caching is convenient for users, it can put sensitive information at risk.

You should implement configuration management to promote secure coding and maintain baselines across your organization.

Manage your sessions securely

A session is an exchange of information between two or more entities, such as two devices or a user and a web server. Session management is the process of initiating, controlling, maintaining, and ending these exchanges. If sessions aren’t managed securely, threat actors can interrupt or hijack sessions to intercept data or impersonate authenticated users.

Randomize your session identifiers to prevent threat actors from inferring session identifier sequences. Session identifiers should have an acceptable minimum length to protect against brute force attacks.

Store sensitive session tracking data on web service servers with an appropriate retention period and destroy it at the expiry date. Expire session data when a user logs out or is inactive for a specified time.

Session cookies, also known as in-memory cookies, allow users to be recognized while they navigate the website, for example, items will stay in their carts while they’re shopping. Use the secure cookie attribute to prevent cookies from being sent over an unencrypted channel.

Secure your operations

Once your website is running, you need to prevent, identify, and respond to cyber threats and incidents. If possible, you should continuously monitor website activity for anomalous behaviours, such as repeated login or injection attempts. For example, in credential stuffing attacks, threat actors use leaked or stolen credentials and “stuff” them into login pages of other websites until matches are found.

To promote the ongoing security and functionality of your web services, implement a patch management process to acquire, test, and install patches and updates on your systems and devices. Be sure to patch underlying systems, content management systems, web applications and plug-ins. Include a security.txt file on your website. It provides a clear and standardized way for security researchers to report vulnerabilities. Security .txt files ensure that critical issues are communicated promptly and securely to your organization. This proactive approach helps protect your users and your organization by facilitating faster responses to potential threats.

You should also promote security awareness within your organization and with your customers. By being transparent about the steps that you are taking to protect data, you can foster trust with your partner organizations, supply chain and customers.

Reporting a cyber incident

If your organization is a victim of fraud, contact your local police and file a report online through the Canadian Anti-Fraud Centre’s online reporting system or by phone at 1-888-495-8501. Report cyber incidents online via the Cyber Centre’s My Cyber Portal.

Learn more

Date modified: