Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: I'd like to learn more about programming secure websites
35 points by diN0bot on Nov 19, 2009 | hide | past | favorite | 21 comments
I'd like to learn how to program secure websites. I use Django and have read the Django book (including chapter 20 on security). I'm more interested in SSL-type trust stuff than SQL injection, but I'm certainly not an expert on anything. Any weak link will break the chain, so please recommend whatever books you found helpful.

Thanks!




I am from PHP background and here is the lowdown of how I worked my way from basic PHP security to advanced web application security (language-independent). I am sure it will help you in making a decision for yourself. 1. Essential PHP Security by Chris Shiflett: a light read with little over 100 pages. PHP often picks a lot of flak for being insecure. However, in majority of cases its not because of the flaws in PHP platform itself. It’s because of the certain design choices PHP made which makes it easier for a novice developer to mistakenly write insecure code. Given a little care, these mistakes can be easily avoided. All basic security stuffs are covered like forms and urls, sql injection, session and cookie security. The concept covered in this book can easily be applied for other platforms but apparently you don’t want any of these information because you already are well-versed in them.

2. Pro PHP Security by Chris Synder and Michael Southwell: Covers most of what you are looking for, namely, perils of shared hosting, safe development practices, Encryption, SSL and SSH, HTTP and HTTPS, Access Control and Authentication. Of course the book is inclined towards PHP but most of the concepts are language neutral and you can easily extrapolate these concepts to another language of your choice.

3. Foundation of Security by Neil Daswani et al.: The blurb on the first page speaks for itself What every programmer needs to know about security with running examples of web applications and stories of what’s gone wrong in the past. Mostly language neutral but sample codes are implementation in Java. Comprehensive. Recommended.

4. A bunch of videos at http://code.google.com/edu/security/index.html helped too.


thanks for the resources. this is great!


http://www.owasp.org should be the first place you look.


We lived and died by the OWASP recommendations at the bank that I used to work at. It's certainly a good place to start.


thanks. that kind of recommendation is exactly what i was hoping for.


Depends what you mean by "secure": do you mean protecting against attacks or do you mean impenetrable transfer and storage of information?

For protecting against attacks, the absolute rule is: Never trust anything that the user has provided. This includes form submission, URLs for requests (i.e. it could be a malformed URL), the HTTP headers, the cookies, etc. They are all vectors for an attack. The corollary to this is: validate everything. From here, you can start learning more about the creative ways your app can be exploited.

For securely transferring and storing information, you'll need to look at encryption strategies like SSL and hashes (for, e.g., passwords) and the like.

Of course we can only point you in the general direction. This is a very big topic!


true. i am at once torn between consuming this large topic and beefing up the few links in the chain that i am currently working on. i'm looking forward to getting some of the above mentioned books from the library sometime, yet i also know i'm on a tight schedule and it's hard enough to sneak engineering goodness tasks into each iteration (tests get on fine, though).

getting my server hacked into is certainly on my mind as i set up the server myself only out of necessity and poverty (if not financial then creative and social). i really want the data to remain private.

i have form submission secured. not only does django escape input into sql, but i have a pre-save signal that removes html tags. once concern i do have is that when a form has an error in it, the page is reloaded with the previously entered form values. i believe django templates always escape variables, but i should try writing javascript there just to make sure.

django also stores salt + hashes of user passwords, rather than the passwords themselves. django also puts non-critial information in session cookies. the real data gets looked up in the view middleware.


A lot of suggestions would tell you how to write secure sites, but if you really want the guts, learn how to break the site.

Go to the library and pick up some network security books, and focus on the website security sections (sql injections, exploiting the parameters sent to a website, trying to learn the sites using their error messages to ssl to domain spoofing). For one, this is actually a lot of fun, but more importantly, now you'll always be thinking how to exploit the code you write, and doing so will allow you to realize mistakes very quickly.


Good overview of the issues you'll need to deal with: (read the paper, not so much the class notes)

http://pdos.csail.mit.edu/6.893/2009/schedule.html


one question that if ind particularly perplexing: what is supposed to be secured over HTTPS v HHTP? should the entire site be HTTPS? including media? why do some folks talk about hybrids? is it for performance?


HTTPS encrypts the connection between the client and the server, so, login pages and all backend/control panel pages should be HTTPS.

Reason being, someone between the client and the server can sniff the traffic. If it is HTTPS it will be encrypted; if not, plain as day. Hence the reason why login pages usually redirect you over to a HTTPS login page, when you login you don't want to send your username and password pair to the server in plaintext!

What's funny is people often still send their email creds to their email server without being encrypted either...

Your whole site should not use HTTPS unless all of the data or functionality on that site were sensitive. Pretty simple rule of thumb: public facing pages use HTTP and login pages + anything behind use HTTPS.


Total noob question, but I'll ask it anyway: is there any coding that has to be done to do HTTPS, or is it as simple as linking to the same page with https in the front?


I also feel that I should point out: Putting forms behind SSL does not absolve you of secure coding guidelines! SSL does not influence whether or not your webapp is vulnerable to traditional injection and logic flaw attacks.


While that is true, the OP said he was interested in learning more beyond just SQL injection etc...

Which brings me to your second subject: logic flaw. That is probably the most common security flaw than anything else. It is been made worse by the fact that most "web developers" don't actually understand logic nor the full implications of structured programming.

It is compounded by a lack of understanding system fundamentals too; it's quite common amongst developers I have met to not know why "0123" comes out as "83" in any scripting language built atop C (Python and PHP are popular examples). (Hint for those that don't know: C interprets integer literals with a leading zero as an Octal number).


haha. this is so true. i have no doubts the biggest problems we'll face with early product iterations are our own bugs rather than malicious third parties :-)

we'll do the best we can to get both fronts up to snuff before the general public gets a stab at us.


You need to have an SSL certificate, and your webserver has to have the appropriate modules and such installed and accept requets on port 443.


There's server configuration, but not "coding" as traditionally defined.


One thing to remember is that some browsers will complain if your HTTPS page loads other files (css, js, etc.) over HTTP. Be sure to do some testing in that regard.

I highly recommend the Slicehost articles. They've been indispensable for me and there are some good ones on SSL/HTTPS server setup:

http://articles.slicehost.com/tags/ssl


good reminder. i've used slicehost to help setup servers before, even though i happen to use linode (early recommendation from a friend who got me into web dev to begin with). i really like the slicehost community.


One would typically serve media and static content via HTTP because of performance, and probably more importantly, easier caching architecture as it's impossible to cache TLS'ed content outside the web server.

You might want to serve some personally-identifiable or sensitive data via HTTPS if you have the the resources. At the very least, you should authenticate via HTTPS which is what a lot of services do.


thanks for all the advice.

i've chosen to make the entire site HTTPS and redirect HTTP to HTTPS. the reason being that performance doesn't seem to take a big hit, and while things like caching and moving to multiple servers will be harder, if we get to that point then re-writing some of this code will be fine (whereas it is not fine now when we just want to get some user testing done).

i'm using django. the move for some pages to be accessed via https means accounting for redirects more intelligently. eg, {% url login %} should produce https://... while {% url static_page %} should produce http://... there is a django snippet for middlewhere that allows one to provide a SSL flag.

still...if one is visiting https://mysite.com/A and then moves to https://mysite.com/B, then won't the browser alert them to the move? it should, but that provides the wrong viewing experience... i guess, once a user logs in, the rest of their visit to the site should be over https, even the static pages that non-logged in users view over http?

alternatively, i care less about the users that log in and more that the API used by my Firefox extension to communicate with my server is conducted over HTTPS. that's where i started, but once i made that https it was a slippery slope for the rest of the site :-)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: