Chapter 9. Security and Privacy Issues

Chapter 9. Security and Privacy Issues

At several points in the earlier chapters, I ve alluded to various security-related concerns such as the need to check the contents of forms to make sure submitted information is valid. In this chapter, we ll pull these threads together to survey some of the security issues with which you should be concerned when you develop and run a Web site, and to discuss what you can do to address the dangers. In many cases, the purpose of security measures is to protect the integrity of your own data. But security also comes into play with regard to the collection and use of information that you obtain from visitors to your site, which brings up the topic of privacy. You should respect the privacy of people who use your site, so the chapter also discusses ways to avoid compromising the information they provide to you. Trust is a valuable commodity that you don t want to lose.

The discussion in this chapter is specific to security as it relates to Web development, but you should also be concerned about general system security. Even if you run a little-known site that doesn t receive much traffic, don t think that you re safe merely because of your relative obscurity. The bad guys are continually running scanners looking for machines with vulnerabilities. These scans are not based on how well known you are. They re automated, and they sweep the entire Internet address space.You will be found and probed.

One thing I want to emphasize at the outset is that good security is difficult to achieve, and there is no simple recipe you can follow to make your site safe and secure forever. New exploits are discovered on an ongoing basis, so I encourage you to adopt a security-conscious mindset in which you re continually on the lookout for new information that can help you ward off the bad guys. Security is not just a matter of acquiring tools; it s also a frame of mind from which springs the desire to understand why the tools are necessary and how to use them effectively. If you use the techniques shown here, they will help make your site secure; they will not guarantee no one can find an exploit. Computer security is a very large topic served by an extensive literature. For more information, I ve suggested some additional resources in Appendix B, References and Further Reading, that you might find helpful.