Web security built-in
8th March 2011
Looking back on the early days of web development, security was not much of a concern because the web started out as an almost entirely read-only medium. Thankfully (and interestingly) this soon changed and websites quickly began to offer increasing levels of interaction with their users. With increased interaction came an increased risk of hacking and accidental mis-use by the website's end-users, and web development had to grow up, quick-smart.
At Thirdrock we've developed our best website security practices around two principles - a rock-solid front-controller and strict input filtering.
- All of our websites are created using the model-view-controller (MVC) design pattern, which provides a very useful separation between the website design, application flow and business logic of our clients' websites. Our implementation of the MVC pattern makes sure that every website request is passed through a front controller which performs security checks on every single request.
- Being naturally cautious, all of our websites filter all incoming data and remove any unexpected data, on every request, every time. We've seen many websites which allow their end-users to submit any kind of data in web forms or directly into the website address (URL) - any sites which do this expose their users to unnecessary risk.
Thirdrock thinks...
- A new intranet for The Lighthouse Group - web development in action
- Off-the-shelf or bespoke development?
- Content management systems and you – one size never fits all
- Introduction to Accessibility
- Are you being served? A more technical view
- Are you being served? dotNET vs PHP vs Java vs Cold Fusion et al
- The Facebook generation
- Source control and configuration
- In-memory caching using memcache
- Web security built-in
- Covering the bases
- Web development tools
- Web development
- Web application development
