Are there any good places to find out about cyber security, especially if you host your own apps?
- Look for checklists from OWASP that fit what you do.
- Check your tools that can help with the checklist.
- Use some DDOS protection like cloudflare.
- Learn the basics.
- Only show what you have to. Make everything else only work from behind a vpn or vps.
I am a not very big web developer so I can’t help
I think small web dev and self-hosting are not a good idea these days. It is too much risk. Keeping up with security and keeping your own stuff running is a full-time job. If you don’t know a lot about systems stuff, why not just use the many good cloud or managed VPS options out there? This way you don’t have to worry about the stress, the problems, and the risk, because a bigger, more experienced company will handle it?
@River
I am going to be using a VPS. I’m more worried about the app itself. For example, using a login (even using AWS Identity or another service), stopping people who aren’t allowed from seeing the app’s data, and so on. (I’m using Express and Postgres as a backend in my case).
I know it depends on the app, but are there guides or checklists or something? Or a list of attacks that can happen for a certain system?
@Zane
There are classes on security and the best ways to design APIs.
There are also classes for specific systems.
If you want to spend some money, there are security people who will check your system.
check this out https://www.youtube.com/watch?v=R-4_DbV1Su4
A big plus is not making the same thing that someone else already did, especially for security. For example, PHP has built in things for passwords that are tested and safe (as safe as possible). Or PDO in PHP has things for stopping SQL injections. Don’t rewrite those parts and instead learn what the best ways are. If you think something you made isn’t safe, do something about it. If you don’t have a big IT team, keep your system simple and don’t host it yourself. Shared hosting or VPS plans are not as bad as some people say and can be good enough for some things.
I often have ChatGPT or other LLM look at my code for common attack points or security problems that I might have missed. It works well for that!
Avoid as much risk as you can.
Need to keep credit card info? Don’t do it. Send it to a service. Need to make sure who someone is? Send that too… when you can. Need a safe server? Use one of the big tech companies so they have to deal with their problems first.
Get something to limit how often someone can try.
Get a csrf token.
Get a honey pot. Make your own honey pot.
Cloudflare if you want.
The main idea is to not do it yourself. Focus on making the app or service instead.
The number one thing to do as a developer is check what people give you. On the front end and back end, don’t use what the user gives you without checking that it is what you expect. Be good with regex. If it isn’t what you expect, don’t fix the data, just reject it.
Check your response headers, you want things like content-security-policy, hsts, x-frame-options, etc. If you are using WordPress, make sure your plugins are up to date and think about a security plugin like WordFence.
There is more on the infrastructure side and about who can use what but if you do the above, you’ll avoid 90% of problems.
Most of cybersecurity protection (like ddos) can be handled by other companies these days. Learn to use cloudflare in your app.
Host on a big VPS like hertzner and send your web server through Cloudflare. It’s easy, but you also need to make sure all the api endpoints in your backend are safe too.
Linden said:
Host on a big VPS like hertzner and send your web server through Cloudflare. It’s easy, but you also need to make sure all the api endpoints in your backend are safe too.
Good point about Cloudflare, but like you said, the app itself is the hard part. I’m just worried I’ll make a mistake and leave something open.
I know security should be part of the QA before the app goes live. I’m trying to figure out how I can do that myself in a good way.
@Zane
That’s why routing middleware exists.
For example, middleware.MustBeAdmin.yourApiHandler
Middleware.canBeAnybody.yourApiHandler
Security has to be a high point from day one. No shortcuts. No “I’ll fix it later.” No “this is okay for now.” Thinking things are safe just because you hide them is not real. Etc.
IP Whitelist SSH and Plesk Connections
For self-hosting apps, focus on securing your server. Use HTTPS, protect private data, and handle user sign in. Start with the OWASP Top 10 to learn common security risks.
Use third-party infrastructure as much as you can, especially for anything that could be a good target for attackers. Anything about sign in or money.