The steps that will be taken to protect the app from getting hacked, data being stolen, or protection of sensitive information. Feel confident in the integrity of your software.

Requirments

Account management, authentication, and password management can be tricky. Here are the best practices to follow to ensure you have a safe, scalable, usable account authentication system.

1.1  2 FACTOR AUTHENTICATION

2-FA is adding second layers to the login process. If a hacker has compromised one of the factors, the chances of another factor still being compromised are low. This is normally done by sending a confirmation email or SMS. So the user has to enter the code to enter the system even after the password is correctly entered. 

1.2  LOGIN ATTEMPTS MEASURES

Lockout users after failed login attempts. The system locks out users for a specified number of failed login attempts. It is only unlocked by the support team. 

1.3  BLOCK/UNBLOCK USERS FROM ADMIN

The app gives full control to the admin to block a specific user from entering the app and accessing the database. The user will not be allowed to log in to the platform if its status is blocked until the admin unblocks. 

1.4  END-TO-END ENCRYPTION FOR ACCOUNT DETAILS INTO DATABASE

My most important rule for user account security is to safely store sensitive user information, including their password. This is done by storing a strong hash of the password that can't be reversed. 

1.5  PASSWORD RULES
We have password rules that include the following

Minimum of 8 characters

At least 1 letter, 1 number, 1 special character

Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle.

2.1   HIDE FILES TO ACCESS DIRECTLY

The files will only be accessed through an internal route. So the front-end user will not know what is the actual link of the file. There will be a hidden link that will be generated in the back end and will be used for processing the data. 

2.2   FILES ENCRYPTION

This feature is very important for the security of sensitive files. If anyone tries to access the storage file and can download it, they’ll never be able to open it or show it. The files are locked through an encryption process with the help of an encryption key. Both the encryption process and the encryption key are never exposed and protected by the server. 

2.3  LOCAL ACCESS ONLY FOR THE DATABASES

The remote database access is closed. It means the database can only be accessed from our server directly where the app is running. The database will reject any access from the foreign source and only accept the requests from its local source. 

2.4   DATA BACKUP MODULE

The Database backup module saves a lot of time by automatically taking the backup of the data and allowing it to be restored in case of any damage. 

It is also important to protect the server from being accessed through open connections. Though our server provides a good level of security for the overall architecture, more steps are being taken to add additional security. 

3.1   INSTALLING FIREWALL

A firewall is a network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules. Its purpose is to establish a barrier between your internal network and incoming traffic from external sources (such as the internet) to block malicious traffic like viruses and hackers. 

3.2   PORTS MANAGEMENT

Firewalls guard traffic at a computer’s entry point called ports, which is where information is exchanged with external devices. We’ll only open the required ports and close them when not needed. 

3.3  REVERSE PROXY

Adding a welcome layer of security, a reverse proxy is effective in protecting systems against web vulnerabilities. The reverse proxy sits between external clients and your internal services, preventing anyone from directly accessing your network.

3.4   VIRTUAL HOSTS

Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers). This allows one server to share its resources, such as memory and processor cycles, without requiring all services provided to use the same hostname.

3.5  DATABASE BACKUP

Steps are taken to protect data from accidental data loss, corruption, and unauthorized access. This includes routinely making additional copies of data that can be used to restore the original data or for recovery of earlier instances of the data.

3.6   CODE TRACKING THROUGH GIT DURING SUPPORT/DEVELOPMENT PROCESS

Git stores internal files inside a hidden .git folder which is itself contained inside your Git repository. These internal files contain the whole history of your committed changes.

The goal of these platforms is to provide policy-based mitigation of fine-grained behavior for third-party sources where content is being served. Client-side platforms can then watch for any data collection suggestive of the attacks used by Magecart (and similar groups).

4.1   CROSS-SITE REQUEST FORGERY XSRF/CSRF

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help from social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. We avoid this attack by using only the POST method and using secret code with cookies. 

4.2   SECURE UPLOADING OF FILES

This involves uploading the files with the correct extension and size. This prevents any unauthorized file from entering the application and keeps all other files safe. 

4.3  UPDATE THE FRAMEWORK REGULARLY

The application is developed with the help of MVC based framework. This framework gets updated with added security. We keep updating the framework regularly to add this security. 

4.4   CROSS-SITE SCRIPTING (XSS)

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application.  This is avoided by adding filter input on arrival, encoding data on output, and using an appropriate response header.

4.5  TURNING OFF DISPLAY ERRORS

Though this is normally used for debugging during the development process. This is normally turned off to avoid providing any clue to the hackers about the internal functions or infrastructure. 

4.6   SANITIZATION OF ALL INPUTS

Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and strings to prevent the injection of harmful codes into the system.

4.7 ENCRYPTED IDS FROM THE DATABASE

Some primary keys and ids are very important while processing the database queries. Almost all of the queries use the primary key is to refer to the database entries. Encryption of these id protects the data from being exposed to hackers. 

In a computer security context, server-side vulnerabilities or attacks refer to those that occur on a server computer system, rather than on the client-side, or in between the two.  

5.1  CSRF TOKEN IMPLEMENTATION

The csrf token is a unique code that, by including it in the request, also makes the POST request unique and therefore much more secure.

5.2  SESSION HIJACKING MEASURES

Attackers have several options to hijack a user's session, depending on the attacker's position and vector. Web servers generating long random session cookies prevent attacks.

5.3  SQL INJECTION ATTACKS PROTECTION

Character escaping is an effective way of preventing SQL injection. Special characters like “/ —;” are interpreted by the SQL server as syntax and can be treated as an SQL injection attack when added as part of the input.

Domain security policy is very important for a web application to keep it authenticated and managed by the server. 

6.1  SSL Certificates, Renewable after 3 months

An SSL certificate is a digital certificate that authenticates a web site's identity and enables an encrypted connection.

6.2  DNS Checkup and fixes

The DNS Check test will run a comprehensive DNS Report for a domain and if there is any issue that is fixed by the support team.