Web server security audit and privacy protection
In order to protect your web service from unauthorized intrusion, you need to think like a hacker. The audit shows you measures with which you can increase data protection as well as the security of your website – for yourself as well as your visitors.
Companies that process personal data are obliged to take appropriate measures to prevent the unlawful use of data by third parties. A large number of sites are subject to hacking based on certain selections from search engines, rankings, and directories. As a result, absolutely any Internet resource can "get into the crosshairs". You need to be prepared for such a turn of events.
We advise you not to rely only on your own luck, especially if you own a commercial service or an online store. The cost of a security audit and constant monitoring is usually many times lower than the loss from the hack itself.
Scope of the audit
The audit will check the following measures for the protection of your website:
• Correct HTTPS encryption;
• Use of HTTP security headers;
• Calling external website resources;
• Use of tracking measures;
• Legally compliant integration of social media plugins;
• Checking for blacklist entries;
• Data protection violations with e-mail accounts.
For each partial audit, you will receive a result as well as recommendations for action if measures are required. These recommendations may, for example, concern your privacy policy or be of a technical nature.
We would like to briefly explain each of the partial audits reviewed below. In the appendix of the completed audit, you will find further information on all audited key data.
HTTPS encryption
Today, websites should always be encrypted using HTTPS (Hypertext Transfer Protocol Secure). The clear advantage of this is that all data transmitted between your web server and your customers' browsers is protected from access by unauthorized third parties. This is particularly important when using website logins, contact forms, or shopping cart functions.
The SSL or TLS certificate required for encryption is now offered at a reasonable price by most hosting providers.
Among other things, we check whether your certificate supports the latest TLS versions and whether automatic forwarding from HTTP to HTTPS takes place.
HTTP Security Header
When you open a web page in your browser (mobile or desktop), your browser communicates with the relevant web server. In the process, both parties send so-called HTTP headers – the basis of the Internet.
The browser makes a request, which is answered by the webserver. This communication can be extended on the server-side by various HTTP headers that increase security and privacy.
These include, for example, the HTTP header "Content-Security-Policy", which allows you to effectively protect your customers from attack methods such as cross-site scripting.
We check your website for a total of eight different HTTP headers. For each header, you will receive a recommendation as well as detailed information in the appendix.
Calling external resources
A website consists of a wide variety of components. These can include special web fonts or script libraries like jQuery. Often, these types of resources are loaded from external web servers (so-called content delivery networks, or CDN for short).
In addition, embedded YouTube videos and Google Maps are also external resources.
When a visitor opens your website, data is also transmitted to the providers of these external resources. The providers could misuse this data to track and profile the visitor across different websites.
Therefore, the use of all external resources must be listed in the privacy policy. Many resources could be stored on your own web server without any downside.
We check the use of external resources on your home page and the first two menu levels.
Use of tracking measures
Tracking is the collection of user data as well as its analysis of application.
This can be done on your website through two places:
• You use web analytics software, such as Google Analytics or Matomo.
• You use external resources known as trackers.
When using web analytics software, be sure to anonymize the IP address. If the software sets cookies, this must be explicitly allowed by the user beforehand.
External resources – in addition to the CDNs mentioned above – may include embedded advertising banners, for example.
Legally compliant integration of social media plugins
Again, this is ultimately about the vexed topic of tracking. As you will notice, some partial audits deal with the same basic question.
When integrating social media plugins, the following applies: data may only be transmitted to the provider when a user interacts with the share or like buttons.
Checking for blacklist entries
There are various negative lists ("blacklists") on the Internet. These contain websites on which malware has been found or from whose domain spam has been sent.
One of these blacklists is "Google Safe Browsing", which is used as a data source by various browsers. When such a website is called up, a clear warning message is then displayed in the browser.
If your website domain is listed on such a list, this may be due to various reasons. It is possible that your website was really hacked unnoticed. Or you may be using a domain that someone else had registered before. And even if it is a false alarm, you need to take action.
The audit will check if your domain is known in any of these lists. Afterward, you will be able to take appropriate actions.
Email account privacy breaches
Email addresses are used to register with a wide variety of services. These include software products as well as forums and social networks. All registration data (e-mail addresses, passwords, other personal data) is stored in the databases of the respective provider.
Data breaches regularly become known in which this data was not adequately protected and is now freely available on the Internet.
The audit checks whether e-mail addresses with your domain appear in such a data breach.
A site security audit is a proactive measure that allows you to get an adequate assessment of the security of the resource of the company, complete information about the vulnerabilities found, possible attack scenarios, and recommendations for their elimination. This, in fact, is not an event, but a continuous process to ensure the safety of the business processes of the company website, preserving business reputation, economic growth, and business development.
The owner believes that it is unprofitable to protect his Internet business in advance from "mythical" hacker attacks. And quite another thing is SEO promotion or advertising, which brings tangible results in terms of money and increased brand awareness.
We absolutely understand this point of view. Prevention is a tricky thing. But if you compare the cost of recovering from a hacker attack, plus take into account its consequences in the form of loss of achieved positions in all indicators (search engines, customer confidence, traffic), the investment in the installation of protection and security audit seems quite insignificant.