Differences

This shows you the differences between two versions of the page.

--- firm_website [2019/08/09 18:47] – neil
+++ firm_website [2021/07/06 09:26] (current) – external edit 127.0.0.1
@@ Line 2: / Line 2: @@
 ====Key points: ====
-  * [[#Secure your DNS: it's critical|Secure your DNS: it's critical]]
+  * [[firm_website#Secure your DNS: it's critical|Secure your DNS: it's critical]]
-  * [[#Host your server (physically) in a suitable jurisdiction|Host your server (physically) in a suitable jurisdiction]]
+  * [[firm_website#Host your server (physically) in a suitable jurisdiction|Host your server (physically) in a suitable jurisdiction]]
-  * [[#Keep your software up to date|Keep your software up to date]]
+  * [[firm_website#Keep your software up to date|Keep your software up to date]]
-  * [[#Encrypt traffic between your visitors and your website|Encrypt traffic between your visitors and your website]]
+  * [[firm_website#Encrypt traffic between your visitors and your website|Encrypt traffic between your visitors and your website]]
-  * [[#Take regular backups, automatically|Take regular backups, automatically]]
+  * [[firm_website#Configure your site to be as secure as you can|Configure your site to be as secure as you can]]
-  * [[#Be careful with contact forms and text entry fields|Be careful with contact forms and text entry fields]]
+  * [[firm_website#Take regular backups, automatically|Take regular backups, automatically]]
-  * [[#Control who can post content to your website|Control who can post content to your website]]
+  * [[firm_website#Be careful with contact forms and text entry fields|Be careful with contact forms and text entry fields]]
-  * [[#Your firm's website and Tor|Your firm's website and Tor]]
+  * [[firm_website#Control who can post content to your website|Control who can post content to your website]]
-  * [[Assess third party Javascript before embedding it in your site|Assess third party Javascript before embedding it in your site]]
+  * [[firm_website#Your firm's website and Tor|Your firm's website and Tor]]
+  * [[firm_website#Assess third party Javascript before embedding it in your site|Assess third party Javascript before embedding it in your site]]
 ====Secure your domain name: it's critical ====
@@ Line 57: / Line 58: @@
 The more complex the software stack on which your website is running, the greater the opportunities for bugs or exploits.
-Keep an eye on updates to the software, and test and deploy quickly.
+Keep an eye on updates to the software, and test and deploy quickly. You are probably better of enabling automatic updates if this is an option. There is a risk that an update might be incompatible with something you are doing with your site, and so automatically upgrading might cause problems, but you are more likely to have problems if you do not update your software.
 If you are using a third party to run your website, or you are hosting it on someone else’s platform, check out their policy on applying software updates. If you can, enter into a service level arrangement which sets out how and when they patch their servers, at both the operating system level and the application level (i.e. the web server software itself, as well as the software on which that web server software runs).
@@ Line 75: / Line 76: @@
   * opening an additional port in your firewall, to allow traffic on port 443.
+If your website hosting provider offers "automatic SSL" or "automatic TLS", this is probably a way to set up an encrypted connection.
+If you run your own server, the easiest way to get this up and running is to use a free [[https://letsencrypt.org|Let’s Encrypt]] certificate, which you can install through the [[https://certbot.eff.org|certbot]] tool.
+===Renew your certificate automatically ===
+A common failing when using an encryption certificate for a website is failing to renew it. If you do not renew it before it expires, visitors to your website will see an error message, which you do not want.
+LetsEncrypt certificates expire after three months, and, if you use certbot to install a LetsEncrypt certificate, it should handle renewals automatically. If you supplied an email address as part of the configuration process, you should get an email shortly before the certificate expires; for the first renewal at least, keep an eye on the site at the time the certificate expires, to check it has renewed automatically correctly.
+If you do not have a LetsEncrypt certificate, you will need to remember to buy a new certificate from whichever company is providing your certificate, and then download it and install it on your web server.
 ===Redirect unencrypted connections to encrypted connections ===
@@ Line 80: / Line 92: @@
 In addition to setting up your server to offer an encrypted connection, make a further change so that visitors are automatically redirected to the secure version of your site.
-This means that, even if they access the insecure version of your website (http://), they will be automatically redirected to the secure version (https://), without them needing to do anything.
+This means that, even if they access the insecure version of your website (http:), they will be automatically redirected to the secure version (https:), without them needing to do anything.
+If you use certbot to install a LetsEncrypt certificate, it will ask you during the installation of your first certificate if you want it to make the changes to your web server's configuration to do the redirection automatically. If you do not know what you are doing, this is probably a sensible thing to do.
+==== Configure your site to be as secure as you can ====
+You can increase the security of your site, and lessen the risk of malicious or inadvertent compromises, by configuring the information which your site sends to a visitor in the background. These are not changes to the content of your pages, but rather some initial, behind the scenes, instructions.
+The easiest way to start is to visit [[https://securityheaders.com|securityheaders.com]] or [[https://observatory.mozilla.org|observatory.mozilla.org]] and put in your site's URL. It will assess your site, based on this background information, and give you a grading. More helpfully, it tells you (roughly) what you need to do to improve.
+{{::screenshot_2019-08-23_at_20.09.08.png?400|}}
+You implement these changes by configuring the "headers" which your web server sends, and you can normally do this either by changing your web server's configuration, or else on a directory-specific basis through using a special file in the directory, called .htaccess.
+Make sure you test your site thoroughly after making changes, to make sure things work correctly. This is especially true if you load things (such as font, or images, or plugins) from third party locations, and lock down your settings (such as the "content security policy" header) to restrict what can be loaded from where. The easiest way of testing your site is by using [[tor|TorBrowser]], as this will ensure you are not loading content from your normal browser's local storage.
 ==== Take regular backups, automatically ====
@@ Line 87: / Line 112: @@
 Ensure you have an [[backups|accessible, tested backup of your firm's website]]. If you update your site regularly, consider automating your backups, so that you don't have to think about it (if you have to think about it, you'll probably forget to do it).
-If your hosting provider decides to close shop unexpectedly, you can get back up and running far more quickly if you have a tested backup available.
+If your hosting provider decides to close shop unexpectedly, or your website gets hacked, you can get back up and running far more quickly if you have a tested backup available.
 ==== Be careful with contact forms and text entry fields====