Creating Secure Websites and Forms: What You Need to Know
Creating a website that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate. All a certificate does is create a thin veneer of security. It does not go very far to protect whatever sensitive data necessitated security in the first place. In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.
So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article. Its purpose is to shed light on many of the most significant factors in creating secure websites and forms and what you can do to address them. At a minimum, reading this article will help you intelligently discuss your website security with the developers that you ultimately hire.
What is Involved In Creating Secure Websites and Forms?
Website security is a deep and complex topic. We will only be hitting some of the high points. The focus of this article is to address the issues involved with creating secure websites and forms. What could be simpler, right?
Well, not quite. Here are some of the issues that need to be considered:
- SSL – Is the website and form secured so that data is safely transmitted from the end user? Is your website form page itself protected with SSL so as to prevent tampering with its contents? (Here we use “SSL” as the common term used for TLS: SSL vs TLS … what is the difference?)
- Web page content – Is the HTML content sent to the end user protected from Cross Site Scripting (XSS) issues and does it avoid loading objects insecurely and/or from third parties?
- Script Security – Are the scripts or programs that process the submitted data written with security in mind? Do they have any vulnerabilities?
- Infrastructure – Is the website hosting provider you are using trusted and known for good security? Are you on a shared server when you should be on a dedicated one?
- The Data – What do you do with the data once it is submitted? Is that data secured?
- Tracking – Do you track events such as access to and submission of data?
- Archival and Backup – Are there processes in place to make backups and permanent archives of important data?
SSL – Web Security Starts Here
An SSL Certificate is absolutely required for creating a secure website and form. The SSL Certificate allows:
- The data sent to and from your web server and your users to be encrypted so it can’t be eavesdropped on or tampered with.
- Your users to trust that they are connecting to your website securely.
An SSL certificate on a properly configured web server provides encryption of your website data as it flows to and from your end users.
To get an SSL certificate, you can either order one directly from a third party or contact your web hosting provider and to see if they can obtain one for you. In either case, your web host will need to install the certificate on the server where your website is hosted, and then you will need to make changes to your site to take full advantage of the secure channel that you have added.
SSL and Encryption
The most significant reason that people use SSL to secure their website is to encrypt the data transmitted from their website and the end user. When the end user visits a page of yours that is protected by SSL, their web browser communicates over a secure channel with the web server, and so that all data transmitted is sent over this encrypted channel. This helps to prevent eavesdropping and “man-in-the-middle” attacks on the data (more on these below).
Without SSL encryption, there is little or no protection of the data. See also: How Does Secure Socket Layer (SSL or TLS) Work?
SSL and Trust
The most overlooked and misunderstood aspect of SSL is the establishment of trust. That is, enabling your end users to trust that they are connecting to your actual website. What else could they be connecting to, you may ask?
- Someone with access to the network between the end user and your site could be trying to intercept and read all the web traffic and/or altering your website pages themselves (e.g. changing your forms to submit the data to them instead of to you). This is called a man-in-the-middle attack. Even with SSL security, a man-in-the-middle can present the end user with an SSL Certificate for your domain name that looks legitimate (i.e. like a forged ID card).
- The users could be visiting another website that is pretending to be yours. This phishing website could be trying to collect information from your users for their own purposes. Unless your users can identify that this site is not legitimate, they could be duped into revealing personal information. How could they end up at a phishing website like this? This can happen by clicking on a link emailed to them in a malicious email or by visiting a misspelled version of your URL. No site is immune from such attacks, but you can work to mitigate them.
How can your SSL Certificate help mitigate the possibility of eavesdropping, man-in-the-middle, and phishing?
SSL Certificates are signed by a third-party authority, the so-called “Certificate Authority.” This can be:
- You, if you sign your own certificates.
- A respected third party issuing:
- A cheap or free certificate validating only your domain.
- A more expensive “Extended Validation” certificate that also validates your organization.
If you sign your own certificates, then your website will generate trust warnings when anyone comes to visit it. These can be dismissed on a per-visitor basis if the visitor chooses to permanently trust your self-signed certificate. However, this is never recommended for a public website. Self-signed certificates provide no inherent trust that they are legitimate (anyone can generate one and pose as your site). They look amateurish and they are annoying to the end user. Self-signed certificates should only be used in internal or test environments.
When ordering a certificate from a trusted third-party authority (e.g. Comodo or Verisign), there are various types of certificates that you can order. The cheap ones merely send an email to your domain contact and if you can click on a link there — you get the certificate. These “domain validated” certificates are fine and provide great security; however, as no humans are involved in the validation process, it may be easier for an attacker to get an illegitimate certificate.
You can also order Extended Validation certificates. They cost more because real people actually validate your organization and your ownership of the domain. They make phone calls and ensure that everything looks right. If you have one of these certificates, then the address bar of your browser turns green when visitors come there to indicate that “hey, this is a really trusted site!” If you want to maximize trust and make it very easy for your end users to identify your site as legitimate and to be able to easily tell if someone is trying to trick them with a fake certificate, you will want to use an Extended Validation certificate. These cost more but are well worth it in terms of the security and trust that they provide. See: Extended Validation (EV) SSL Certificates.
If EV certificates are outside of your budget, you should still use an SSL certificate from some trusted third party.
Securing your Web Form with SSL
Once your website has an SSL Certificate and it has been installed by your web host, your web pages can be accessed with addresses that start with “https://” instead of just “http://.” The “s” in “https” means “secure.” Note:
- When you are connected to a web page using a secure address like “https://yourdomain.com,” the web browser will show a “lock” icon to let you know that the connection is secure.
- Web pages that end in “.shtml” are not necessarily secure. The “s” means “server” (i.e. server-parsed page) and not “secure.” So, for example, “http://yourdomain.com/index.shtml” is not a secure page, but “https://yourdomain.com/index.html” is a secure page.
- In many default web server configurations that have SSL enabled, you can access the same page both securely and insecurely. I.e. both “http://yourdomain.com/form.html” and “https://yourdomain.com/form.html” work and show the form — the only difference being the use of SSL or not.
So, let’s say that you have a web form located at “http://yourdomain.com/form.html.” You have an SSL Certificate and your web host has installed it. Next you want to:
- Make sure people connect securely to your form page.
- Make sure that no one can connect to your form page insecurely.
These two goals might sound the same, but they are not.
Make sure people connect securely to your form page
Since your regular web site pages may be insecure, you need to make sure that the links to your secure form page are absolute links starting with the prefix “https://.” This will ensure that anyone clicking on these links will be taken to your form page on a secure connection.
The best solution is to use a HSTS (HTTP Strict Transport Security), which tells browsers that they should always use the secure version of your web site. If you choose to have both the insecure (http) and secure (https) versions of your site running at the same time (not recommended), then you need to be careful with your links so that your sensitive pages are secured:
Wrong Links: Relative links are not recommended because, if the user is on an insecure page of your site, relative links will always take them to insecure versions of the destination page. So relative links like the following should be avoided:
<A href=”/form.html”>Fill out my form!</a>
<a href=”form.html”>Fill out my form!</a>
Correct Links: Absolute links will ensure a secure connection by specifying that SSL must be used via the link prefix “https://.” For example:
<a href=”https://yourdomain.com/form.html”>Fill out my form!</a>
Be sure that ALL links to all secure pages of your site use this secure format with the “https://” prefix.
Side Note: These days, it is recommended that you use SSL for ALL pages of your web site, not just the “important ones.” This is good for user trust, security, and privacy. It is also good for Search Engine Optimization (as Google will reward you for securing your site). If you have set up your site so all pages are secure, always, then relative links are safe once more.
Make sure that no one can connect to your form page insecurely
Using the above suggestions, all of the links on your site will take your users to the secure version of your form. However, most web hosts leave the insecure version of the form there and it can still be accessed by users if they enter the insecure address directly (or if you missed some of the links in your updates). As a next step, you should ensure that it is not possible to access the form page via an insecure connection.
There are several different ways that this can be done. Some of these include:
- Separate space for SSL pages: If your web host has this feature, you can configure your website so that web pages for secure (SSL) connections are stored in a different directory from those for insecure pages. If you enable this feature, you would put your form page in the secure directory and make sure that there are not any copies in the insecure directory. Thus, any insecure requests for these pages would result in a “page not found” error. You could, then, implement some server-side redirection rules where if someone does request the insecure page, they are automatically redirected to the secure version (this can be done using .htaccess files and the “Redirect” directive). If you did this, then secure AND insecure requests for the page would take the user to the secure version with no errors, warnings, or issues for the end user.
- Scripted pages: If your form page is generated by a server-side script (i.e. PHP, Perl, Python, or JAVA), then your script itself can look and see if the request is secure or not (e.g. by looking at the server environment variables). For secure requests, it can render the form as usual. For insecure requests, the user receives an error or is redirected to the proper secure location.
- Securing all pages: (Recommended) You can configure your site so that all requests for insecure pages are automatically redirected to the respective secure page. All pages will be secure and any accidental/incorrect requests for the insecure pages will still get people to the right place. If you have set this up pervasively for your site, then security is greatly improved.
If my form is posting securely to a secure form processing script, then why does the form itself need to be secured?
This question is usually asked when the form processing is managed by a third party. Is securing the form itself with SSL needed?
The answer is based on the following facts:
- The data sent from your end users to the server will be secure and encrypted during transmission. This is critical for creating secure websites and forms sites that require HIPAA compliance.
- End users who are non-technical will have no way of knowing if their data will be submitted securely until they actually try it. Many end users will not want to submit their data to an insecure form on your site for this reason.
- End users have no way of knowing if they are viewing your site, or a phishing site, or if there is eavesdropping and modification going on. Many users will not trust the connection and will not want to submit their data through your site.
- If your form page is insecure, it is very easy for any malicious party to perform a man-in-the-middle attack to eavesdrop on connections, to modify your form in transit to change what is collected and where the data is sent, and to set up phishing sites. It is impossible for your end users to tell if this is going on.
If you do not SSL-secure your web form itself, it is vulnerable to attack. If there is nothing untoward going on, you do have transmission security to rely on; however, that minimal level of security is not recommended for production websites or anywhere that compliance is required.
Other Aspects of Creating Secure Websites and Forms
Proper use of SSL for encryption and trust is only part of creating secure websites and forms. There are many other aspects that you must be concerned with in order to protect your users, your application, and your company’s reputation. These include (but are not limited to):
- Secure Server-Side Programming: The scripts and programs that accept and process the data from your form must be created with security in mind. They must validate all submitted data as needed, not making any assumptions about its format and content. The scripts must not provide avenues for attacks like SQL Injection. Scripts must not use submitted content as actual file names or URLs for loading remote content. They should log any strange errors or problems for later analysis. They should provide a mechanism, if possible, for blocking undesirable actions or users from using the scripts.
- Validation: Validation of all input data is something that is part of the above two points. However, it is so essential, that we will repeat it and go over some of the fundamental points:
- Always de-taint submitted data. What does that mean? It means never trust submitted data and take pains to ensure that the submitted data matches what you expect. For example, if you have a select list that sends your script a number as the value, do not assume that you are actually getting a number! Instead, check that it really is a numeric value or convert whatever is submitted into a number.
- Remove disallowed content from text submitted by users. Remove or block special characters, embedded codes and other things that should not be there.
- Make sure the submitted data is not “too big” to be used.
- Do not assume anything — program defensively.
- Preserving State with Hidden Form Fields or Cookies: If your program remembers things from one page to another by saving the data in hidden form fields, then your program must also make sure that the content of those fields was not tampered with! One good way to do this is to make a hash of all the data, together with a secret value, and to include that hash in the form data as well. Then, when the form is submitted, you can recompute the hash and compare it with what passed from the form. If they match, you are OK; if they do not, then the data has been tampered with. No one can break this scheme without knowing your secret value or without breaking your hashing algorithm. This method can also be used to validate data saved in cookies. You can go a step further and use time stamps to prevent replay attacks.
- Third-Party Applications: If you install programs from third parties on your web site, then you must take care that there are not any known security issues with these programs, and you must be sure to update these programs as soon as new versions are released. If you let your website languish with an older, vulnerable version of a program on it, it will become a target for hackers as they constantly search the Internet for such websites. Your site will likely be hacked in these cases, possibly causing loss of business, deactivation of your website, and tarnishing of your website’s reputation. Using a third-party application is easy, but you need to select a good one that places the burden of keeping it updated on you. An exception is using a third-party application that is hosted by the third party itself. In these cases, the third party ensures that the program is always updated with anything needed to address any security issues that may arise. The burden is on them and not you. If you choose a good, respectable vendor, then you should have no problems, E.g. see: WordPress for HIPAA and ePHI?
All of these things, and more, are critical to the development of a secure web application.
Securing the Data After it Arrives
Ensuring that your users’ data is transmitted securely to your web server is critical, as is ensuring that your application itself is secure and will not be hacked. However, what happens to that data after your program receives it? How are you securing and accessing the data? Many people forget that transmitting the data from the web server may require just as much preparation as receiving it from their users in the first place!
In the following subsections, we will look at three different ways of saving and retrieving your users’ data. In each case, we will explain what is needed to secure the data in your systems.
Emailing the data to you
The most common action that data processing scripts do is email the submitted data to the website owner’s email address. The website owner knows when there are new submissions just by checking his/her email and can access the data immediately. As most people running websites check their email fairly often, this integrates well with their business operations.
However, the standard ways of sending email are completely insecure. To understand why, see The Case For Email Security. So, what can be done to still use email, but ensure that the data is secure and viewable only by the intended viewers?
- Have your website script encrypt the data.
- Send this encrypted data (or a link to download the encrypted data) to the intended viewers via regular email.
As the form data is encrypted within the email message, most insecurities inherent in email are obviated. You can also use secure third-party services to have your form data emailed to you securely without the need to program anything yourself.
Saving the data in a database
Many website owners like to save the submitted form data in a database (even if it is also being emailed to them). Why?
- The data is saved online and potentially accessible from anywhere.
- If the emailed copies of the data are lost, the copies in the database are still there.
- The data in the database can be accessed through a web browser if there is a suitable user interface.
- The data is presumably backed up for you.
If storage in an online database is for you, then you need to:
- Use encryption, like SSL or PGP, to ensure that the data is stored in the database in a secure manner. Why? The contents of database tables are not encrypted or secure in general. Storing unencrypted data makes that data available to anyone else with access to the database or its backups. See: Encryption and Auditing of MySQL Databases for HIPAA.
- Provide a user interface that allows you to access the database data. It must be secure, have strong access controls, and provide a means for decrypting the data for you.
The database option requires a lot of work to make a solution that is secure and usable. For this reason, most small organizations do not end up using secure database storage for important form data.
Saving the data in files
The file storage option is the “quick and dirty” alternative to secure database storage. Essentially, your program will:
- Make a file containing all of the form data.
- Encrypt that file using PGP or SSL.
- Save that encrypted file in a directory on the web server that is not accessible from the website. Another option is to save it in an online file sharing service.
Then, the website owners can login to the web server using Secure FTP and download these files as needed. They can be decrypted locally when the data must be accessed. In the case of the files being saved in an online file share, other simpler mechanisms for accessing the data are available.
This solution is secure and provides a good backup to securely emailed data.
How Secure is Your Web Host?
The choice of web hosting provider and environment is critical for the security of your website application.
- A web hosting provider that does not specialize in security will likely not have a secure infrastructure. The software they use is more likely to have unpatched vulnerabilities. This will result in your website being significantly less secure.
- If your web hosting provider is not trusted in terms of the sanctity of your data, you may have a problem. System administrators and technical support staff at the provider can access your website application and raw data. If the data is not encrypted, they can read and copy it. They can modify the application to capture and store information. Do you have a good sense that this will not happen?
- Are you on a dedicated or shared web server? If you are on a shared web server and another website on the server is compromised, then your website data could also be compromised. If you can afford it, dedicated servers and virtual private servers provide your site with a much higher level of security than a shared hosting account will offer.
Other Technical Tips for Creating Secure Websites and Forms
There are many other considerations in developing and maintaining a secure website. It would be impossible to cover or even list them all here. However, here are some more interesting and useful tips.
Use Secure Cookies
If your secure site is using cookies for anything, be sure to set the “secure” cookie and the “httpOnly” flags. This will ensure that these cookies are never sent insecurely over the Internet when the visitor arrives at any insecure pages of your web site (they are not sent at all to insecure pages) and thus helps preserve the security of the contents of these secure cookies.
Prevent Form Spam
Form spam occurs when automated programs find your web forms and try to send spam through them. Form spam can result in hundreds or thousands of useless form posts each day. Once you start getting form spam, stopping it will be your desperate goal. There are two primary ways:
- CAPTCHA – This method requires end users to read text embedded in an image and type that text successfully into a form field. This is then validated by the back-end program. Since most spam programs cannot read text embedded in images, it will successfully block almost all automated form spam. However, CAPTCHA does require that the users perform one more step and can be a little annoying.
Minimize the Need for Trust
A good rule of thumb is to minimize the need to trust third parties, and to trust only the trustworthy.
- If you do not trust your internal IT staff, do not host your web application on your own servers or give them access to the server used.
- If you do not trust the third party hosting your website, encrypt the form data as soon as possible. This helps ensure that the data is not saved anywhere in plain text and also is not backed up in plain text, thus minimizing your exposure to unauthorized people. Further, be sure that the private keys and passwords needed to decrypt the data are NOT stored on the web host’s servers.
- Ensure that only authorized staff can access the submitted form data. Ideally, it should always be encrypted and only authorized people should have the capability to decrypt it.
These are just a few obvious points. As you evaluate your web application and the flow of data, ask yourself “who can access the raw data and how” at each stage. Are there stages where you are trusting people who should not be trusted? Are you using “security by obscurity“? If so, re-evaluate.
Forced use of strong encryption in SSL
The strength of encryption used by SSL is a function of both the user’s web browser and the server. Even if your web server supports very good encryption, like AES256, the user’s browser may choose a weaker level of encryption. Older versions of Internet Explorer are notable for choosing weaker encryption in the interest of speed.
You can modify your web server configuration so that only levels of encryption that you approve can be used to access your site. For more information, What Level of TLS and SSL is required by HIPAA?
Use Two-Factor Authentication
Two-factor authentication is almost standard on very secure sites now. It means that you require both a password and something else (e.g. a token obtained from the person’s phone) to validate their identity. Without both, the user cannot login. See DuoSecurity for a good solution that is free for small web sites. Google Authenticator is also very good. Try to stay away from using only SMS (text messaging) as the second factor, as that is no longer considered secure.
Get Started Creating Secure Websites and Forms
Thinking that maybe outsourcing your form hosting and processing is the fastest and most cost-effective solution? LuxSci’s SecureForm was designed for security and compliance. Contact us today to learn more about protecting sensitive information online.