Or web application security, or, more generally, system security, is a conglomerate of mechanisms and practices aimed at protecting the integrity and privacy of the system and its users. There are many layers of security, and many ways too look at them. This document looks at security from the position of website/web application developer (i.e. it is less relevant for web/database server administrors).
Scope of this work
This tutorial is mainly addressed to independent and (semi-)professional web developers creating their own frameworks, CMSs or web applications, for use in low or middle-value systems, as an aid to implementing at least the basic security features in their work.
Although this guidance applies to high-value systems (usually those dealing with critical personal data and real financial transactions), please acknowledge that high-value systems are something that is best left to expert teams using tried and tested enterprise security solutions.
Solutions presented will be mostly generic (i.e., not specific attack counter-measures), aimed at creating a secure environment able to resist most threats. Further more, in practice, this tutorial targets the notorious Linux – Apache – MySQL – PHP (LAMP) stack.
Limitations and disclaimer
I am an enthusiastic independent web developer, doing this job for 5 years now, time during which I have learned about security issues the hard way, by means of personal (bitter) experience, and realized the importance of keeping up to speed with matters of website/web application security. That, in turn, led to some pretty extensive research. This tutorial is the product of this experience and learning, and it also serves as a helper and reminder for myself. Think of it as a set of student revision notes in the matters of security.
This tutorial will not describe security threats in too much detail, as it is not a hacking tutorial, but will try to outline the best practices to avoid those threats.
I’m not a security expert, and some of the advice I offer may seem naive or too basic to the security expert. Also, despite my best efforts, it may be plain wrong. Again, this work is not intended for that level of expertise. Should an experienced web developer or security engineer read this, and should he/she find any mistakes or inadvertences, I would indeed appreciate their input and cherish their opinion.
That said, use the information provided here at your own risk, and do not forget to cross-reference it with as many authoritative sources as possible.
Appeal to hackers: please do not attempt to hack this website just to prove that I don’t practice what I preach. I already know that, and you’ll probably succeed, so take this note as my unconditional and preemptive surrender. Thank you.