Anyone who sits at a computer for hours should know how potentially dangerous that can be. Your digital life carries tons of information and clues about your personal life; identity and data theft are always a threat. Hackers wait for us to make a mistake or leave a workstation unattended.
With good judgment and some helpful software, we can mitigate some of that risk. Here’s a look at some basic security suggestions for web designers, along with a couple of more advanced safety tips.
1. Stay Updated
It is important to maintain the latest updates for your operating system, programs, and plugins. While this may seem obvious to some, others may need a gentle reminder. Despite what it may feel like sometimes, software updates don’t happen just to annoy you.
Frequent software updates can be a sign that a software developer is looking out for your online safety. If you see frequent software updates, it might be because of recently discovered security vulnerabilities. Take security seriously, and don’t dismiss these helpful updates.
Why do it?
Updates aren’t just for new bells and whistles, although many includes streamlined features and beta features that will make your programs easier to use or your OS more responsive. The “behind the scenes” portion of the update – security protection – is the most important.
You’re getting the latest version of that favorite software, after all. It’s like buying a TV in 2012 and getting an improved one in 2013 – with new or improved features – just by clicking “OK” when it asks if you want to update.
Unfortunately, not all software makers send out automatic updates. You can keep track of all your updatable programs with FileHippo Update Checker. FileHippo will even scan your system for updatable software to track for you. And it’s lightweight, at 155kb.
2. Secure your computer
Many web designers choose Mac computers over Windows-based machines. Although Apple’s computers have a good reputation when it comes to virus and malware protection, Internet security for Macs still isn’t anything to leave to chance.
There are many low-cost or free antivirus and anti-malware solutions for all computer types.
To lose drafts of your resume and vacation photos on your computer because of a computer virus is sad enough. Imagine if you lost the hours of work put in for web design because your computer wasn’t as secure as it could have been.
Why do it?
Even the mildest of viruses will at least slow your computer down. Viruses work silently, too, and can make changes to your system without your knowledge. Your personal information and work is at risk, as are other computers in your network.
Don’t just rely on the native Mac or Windows OS encryption features. Hotspot shield protects your Internet signal and encrypts your traffic. It’s especially helpful with public Wi-Fi networks, but even from home (or work), it’ll safeguard against spying, too.
3. Create strong passwords
Some web design professionals take this seriously; for others, it bears repeating. It’s tempting to use one password for all online accounts, but your security solution becomes a house of cards. If one password is hacked, the rest of your digital life is at risk.
Why do it?
They’re the first line of defense for your computer and all your data. Your password should be at least eight characters. Hacker programs sometimes get in by brute force, which means they will run every combination of characters. Complexity in your password means protection.
Use a line from a song, such as “carry on my wayward son” as Conmwaywards and add !10 at the end for added complexity. You’ve incorporated a familiar Kansas rock song, and added a symbol and a number, as well as the capital C, to a password of more than eight characters.
That’s pretty strong.
4. Don’t get specific with error messages
There are plenty of ways for hackers to get into your website using nothing more than brute force. Some web design habits might actually help them. When an attempt is made to log in to your website, and the attempt fails, do you know what error message pops up for the user?
You might want to take a look.
This type of error message should be as unspecific as possible. For example, don’t reveal that the hacker has already successfully guessed one of the fields. Error messages should read “Incorrect username or password.” It’s simple, and doesn’t give the hacker clues.
Why do it?
If you specify that an unauthorized login attempt has the password incorrect, they might know they have the username right. This gives them a head start to crack your password.
If you are using Ruby on Rails with Simple Form, you can change default error messages in the translation file, which is found here:
In the initializer
config/initializers/simple_form.rb, you can also overrule the options for HTML generation.
4. Be careful with file uploads
Many websites allow users to directly upload files. Do so with caution. Although most user uploads serve a specific purpose, such as image uploads on sites such as Facebook or Flickr, unscrupulous people can sometimes take advantage of security vulnerabilities.
Your website needs to restrict uploads to only specific, approved file types, such as .jpg or .docx. Anything else could be an executable file with malicious software attached.
Why do it?
A code introduction is the first shot in an attack on your system. An unrestricted file upload would allow hackers to set the code in your system. The consequence of malicious code on your system varies from simple defacement to total system takeover.
Files such as .jpg or .docx usually don’t contain the code that can get hackers access on the inside.
When possible, upload files from outside sources in a directory outside the server root. Validation that includes both server-side and client-side is the best way to guard against files with malicious code, though. Consider a web vulnerability scanner such as Acunetix.
Brian has published in a variety of technical publications over the years, has presented at numerous conferences and events and has served as a technical editor on a number of books.
You can read Brian’s blog archive with 9+ years of content at remotesynthesis.com (he still posts, infrequently). You can find a full list of Brian’s past publications and presentations. Follow Brian on Twitter @remotesynth.