Website Security Test

Website security is composed of website’s data availability, integrity and confidentiality. The data is mostly represented by files and databases of the website. Availability is about uninterrupted and swift access to the website and its content, frequently, a DDoS attack may disrupt website availability and prevent legitimate users from accessing it.

Integrity involves security of the stored data, for example, attackers shall not be able to modify data or distort any information available on the website. Confidentiality relates to due protection of any sensitive data, for instance, logins and passwords of website users to ensure that nobody but the authorized personnel have access to it.

Website security check shall include a thorough verification of its availability, integrity and confidentiality. On top of this security triangle, privacy and compliance with the enacted data protection laws and regulations make a website effectively standing atop of its competitors. ImmuniWeb Community Edition provides a free online test to quickly check your website security, privacy and compliance.

GDPR compliance relates to adherence to all of the requirements of the General Data Protection Regulation (EU GDPR), a European law purported to protect Personally Identifiable Information (PII) of European residents by increasing transparency of data handling, right to control your PII data and request companies and organizations to return and then delete any PII related to your persona.

The law was enacted in response to skyrocketing number of data breaches, leaks and unscrupulous handling of PII for commercial or even unlawful purposes without the consent of people.

The best way to start is to read the official text of the General Data Protection Regulation (GDPR) law. You may require competent advice about applicability and practical enforcement of the law, and it is strongly recommended to retain a licensed attorney in your country to clarify any grey areas as a single mistake may lead to a disastrous financial consequences being a fine of 4% of your annual turnover or 20 million euros whatever is greater.

GDRP compliance is a multifaceted exercise and involves processes, people and technologies. For example, you may test your website GDRP compliance with a free online test provided by ImmuniWeb Community Edition.

GDPR compliance test shall cover people, processes and technologies that handle or process Personally Identifiable Information (PII) of European residents by your organization. You shall retain a licensed attorney to review youк Data Protection policy and other legal documents and processes imposed by the articles of GDPR. Not all GDRP requirements are technical, for example, availability and protection of a Data Protection Officer (DPO) is rather of HR and legal part of the GDPR compliance. You may test GDPR compliance of your website by using a free security test by ImmuniWeb Community Edition.

Payment Card Industry Data Security Standard (PCI DSS) compliance involves strict adherence to all of the 12 requirements of the standard for any company that processes at least one credit card on an annual basis. Some of the PCI DSS compliance requirements, for example, wireless network security and encryption, may be inapplicable only if the company does not have a wireless network within its Cardholder Data Environment (CDE). PCI DSS compliance also involves quarterly vulnerability scanning and annual penetration testing of the CDE environment.

To test PCI DSS compliance, one should first determine its Cardholder Data Environment (CDE) of the tested organization. The CDE scope clearly defines the segments of corporate network and cloud storage where credit card data is stored or processed. It is extremely important to properly define your CDE scope, otherwise you may overprotect or overspend on PCI DSS compliance leading to fines or considerable financial losses.

Then, your PCI DSS security auditors shall meticulously audit and test all applicable requirements of the PCI DSS standard implemented in your network. You may test your website PCI DSS compliance with a free online scanner by ImmuniWeb Community Edition.

HTTP headers are part of an HTTP request sent by web browser to web server, or vice-versa, to pass additional information related to the transmitted content, its format or structure, or specifying some security or privacy features like setting Do Not Track (DNT) directive.

Some HTTP headers may be browser or web server specific. Some security headers, like Content Security Policy (CSP), are fairly complicated to configure due to the need to maintain sufficient website functionality but if properly implemented may mitigate a wide spectrum of XSS (Cross Site Scripting) and other attacks by disallowing insecure or untrusted content from running in user’s web browser.

HTTP headers may be server-side or client-side. Both types of HTTP headers work by sending various instructions alongside with HTTP request on how to handle or process this request. For example, a client-side request sent by the browser may specify that the user does not wish to be tracked by sending a DNT (Do Not Track) HTTP server.

Similarly, server-side HTTP header may send instructions to the browser to renew its cache, use specific encoding when displaying the content, enable the XSS filter, prevent iframes, or force the use of HTTPS. Most of the programming languages provide simple and ready-to-use functions to set most of the HTTP headers.

HTTP headers may be required to address specific needs of a website owner or a web browser user. For example, some security-related headers (on the web server side), like X-XSS-Protection or even more powerful Content Security Policy (CSP), are recommended to enhance web application and web server security by mitigating some vectors of XSS and related attacks.

Contrariwise, other server-side headers, like X-Powered-By or Server may disclosure internal or sensitive information and shall be removed. When dealing with client-side headers, DNT (Do Not Track) header becomes incrementally popular. While there is no one-size-fits-all approach or solution to implement specific HTTP headers, you may test your web server’s HTTP headers by free website security test powered by ImmuniWeb Community Edition for general weaknesses or misconfigurations.

Server-side HTTP headers are to be configured via a web server by going to its admin interface or updating its configuration file. Each web server provides a detailed documentation and how-to guidelines for the HTTP headers it supports. While some of the client-side HTTP headers can be configured directly by using GUI of your web browser if it supports customized HTTP headers configuration.

Web Application Firewall (WAF) can protect your websites, web services and APIs even if they are vulnerable to SQL injection or other common types of security flaws. The attackers won’t be able to exploit a vulnerability residing in the source code of your website if it is protected by a properly configured WAF, either on premise or in the cloud.

Sometimes, software developers have insufficient time to properly and timely mitigate recently detected security vulnerabilities and weaknesses, and instead of leaving your website and its users exposed to cybercriminals, they can mitigate these flaws by a WAF. Modern WAF also reduces the number of malicious bots, accelerates website speed and blocks IP addresses known to be infected by malware or participating in DDoS attacks for example. Moreover, many security standards and compliance requirements, like PCI DSS, expressly required WAF presence.

A modern WAF can effectively prevent Denial of Service (DoS) attacks, and reduces impact of Distributed Denial of Service (DDoS) attacks. It is, however, virtually impossible to prevent a large-scale DDoS attack that is coming from millions, or in some cases even tens of millions, of bots simply putting the network offline with gigabytes of garbage traffic or even shutting down the entire infrastructure of ISP (Internet Service Provider) where the targeted website is located.

For simple cases and weak DDoS attacks, WAF can at least keep the website up by blocking malicious IP addresses or by limiting access to the website from certain countries, but the website will likely become slower. Special anti-DDoS service providers offer competitive solutions tailored to stop or mitigate the consequences of DDoS attacks.

A Web Application Firewall (WAF) is a virtual layer between your website and the Internet. All website visitors are required to go through the WAF before they may access your web server and website. If a WAF detects any malicious or suspicious elements in website visitor behavior, such as known patterns of web attacks or blacklisted IPs, WAF will block these requests thereby keeping your website safe from unwelcome visitors and hackers.

Security of a web Content Management System (CMS) usually relates to security of web software used to run a website, for example, WordPress and Drupal are both examples of a web CMS. Security of CMS is ensured by its developers that implement security controls and protection mechanisms to prevent known attacks against the CMS such as SQL injections or XSS.

Website owners shall maintain security by timely installing security patches, using unique and strong passwords, and ensuring that the website hosting is likewise secure. CMS security is also entirely dependent on the web server security, as, for instance, if FTP access or admin password to the server is compromised however good CMS security is, the website will be under immediate control of the attackers.

WordPress security mostly depends on whether your installation of WordPress CMS, its plugins and themes, are all up2date. To test WordPress security, make a holistic inventory of WP components and plugins and ensure they are all up2date. Then go to vulnerability databases to check whether some of the WP plugins or extensions contain known but unpatched security vulnerabilities, and if so, deactivate these components.

Consider checking for a special plugin that hardens WP security by activating supplementary controls and mechanisms unavailable by default, and restricts access to configuration files. ImmuniWeb Community edition provides a free online tool to test your WordPress security and detect all known security and privacy issues within your installation of WordPress.

Drupal security check starts with verification whether the Drupal CMS and all plugins used in your installation of Drupal are up2date. After, check various vulnerability databases that may contain information about known but still unpatched vulnerabilities or weaknesses exploited by the attackers in the wild. If you find such component, rapidly deactivate or disable them until vendor issues a patch.

Additionally, ensure that all privileged users have strong and unique passwords, web hosting where Drupal is running is secure, access to configuration files is restricted, and that you have a tenable mechanism to continuously install Drupal security updates. You may check security of your Drupal website by using free website security test provided by ImmuniWeb Community Edition.