For Files & Data on Your Web Server

The security of data and information held on your web hosting server is essential to protect both your property (ie. Files and data) and to ensure you comply with the Data Protection Act from your customer’s point of view. In order for a website to be accessed by the World Wide Web you must allow access to your public website files, images and web pages to everyone. Therefore any folders or files on your web server which you do not wish everyone to have access to must be protected.

It is also a good idea to amend the “robots.txt” file which all the search engine robots use to help them explore your website. This file is stored in the same folder as your website home page and you can amend it to exclude folders on your web server from being searched. Ie. You would not want the robots to search your members only area OR any test or development copies of your website on your web server.

If you don’t exclude such files or web pages within “robots.txt” then they can potentially be returned by searches in search engines and then clicked on by users.

For Secure Customer Payment

If you are accepting credit cards on your website then you will be collecting customer financial information about their credit cards. You must therefore setup the payment section of your website as an HTTPS or a secure web server connection. HTTPS is a secure version of HTTP using SSL (Secure Sockets Layer) data encryption.

When data is sent via HTTPS it is encrypted before being sent from your home computer and decrypted at the other receiving web server end. This ensures reasonable protection from eavesdroppers trying to read the messages containing credit card details as they are transferred over the internet.

To invoke HTTPS, the users replace “http://” with “https://” in the URL or Web address. You will also need a public-key certificate which must be signed by a certification authority (such as Verisign) for a specific website URL. This authority certifies that the certificate holder is the company they claim to be and validating to the public visitor that the site is secure and who they say they are!

Why Would I Use it on Your Website?

The following files and data should be secured with password protection as a minimum on your web server to ensure no unwanted access;

  • All direct database access – allow access to data via code in your website pages only;
  • Membership Only web pages, files and downloads;
  • Analytical tools installed on your web server – they could be accessed by competitors to see how successful your website is;
  • Any test or development website areas on your web server;
  • Any other areas containing data or files you do not wish the public to have access to;
  • Use HTTPS for credit card payment or transmission of any other sensitive data across the internet;

Possible Requirements to Consider

  • Decide which areas of your website should be password protected with your web designer;
  • Make sure any database security responsibility is clearly defined, especially where customer data is involved to ensure you are covered under the Data Protection Act;
  • Make sure your web hosting service supports HTTPS;
  • If you require HTTPS on your web server make sure your requirement is clear and that the web designer has the skills and knowledge to deliver a secure solution;
  • HTTPS certificates need to be renewed on a regular basis – be sure who is responsible for renewing them and paying the invoices;
  • Think about using Paypal, WorldPay or Google Checkout for payments to avoid having to take credit card details on your website;

Examples

HTTPS URL as Seen on Paypal Purchasing Web Pages

Example of Secure HTTPS Website

Proof of SSL Certificates on Secure HTTPS Web Page

Example Security Certificates

Further Information

When you next shop on-line, look out for the HTTPS URL when you are transferred to the secure part of the website to enter your customer and credit card details. You will also see a gold padlock in the bottom right hand corner of your browser.

It is always good practice to right click on this gold padlock and check the SSL certificate for the site is up to date and belongs to the same company as the website!

Tags: , , ,

Filed under: Website Jargon Buster

Like this post? Subscribe to my RSS feed and get loads more!