website security - Contractor UK Bulletin Board

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

NewbieContractor replied

13 February 2007, 10:34
"It is somewhat alarming that clients task a newbie contractor, who freely admits, web is not their strong point, with securing what is in effect sensitive information."

Just goes to show.. if you can pull the wool over your clients eyes and sell yourself well.. then you can get a nice contract out of it
Leave a comment:
ratewhore replied

8 February 2007, 11:32
Originally posted by NewbieContractor

You can not class a site as secure if u can see the password in the source code..

It'll be fine - it's base64 encoded...

[RW in 'just so you know - thats irony' mode]
Leave a comment:
threaded replied

7 February 2007, 20:28
Originally posted by NewbieContractor

dickhead - sorry i mean cliphead

Knowledge is basic - but not THAT basic..

You can not class a site as secure if u can see the password in the source code..

Security through obscurity is no security at all...

Or did you mean to say it's something you have and something you know...
Leave a comment:
_V_ replied

7 February 2007, 19:30
It is somewhat alarming that clients task a newbie contractor, who freely admits, web is not their strong point, with securing what is in effect sensitive information.

No wonder so many projects go tits up.

I am going to put all the banks PIN numbers online, but will ask criminals to look away from the monitor when I display them.

No peeking!
Leave a comment:
NewbieContractor replied

7 February 2007, 15:58
Ok - to protect important info
Leave a comment:
Ardesco replied

7 February 2007, 11:56
Would you not classify that as important then?

I would.
Leave a comment:
NewbieContractor replied

7 February 2007, 11:51
because there is a degree of sensative info - i.e. company calendars etc.. internal contacts etc..
Leave a comment:
Ardesco replied

6 February 2007, 20:26
What is the point of making it secure if you aren't protecting anything importnant ?
Leave a comment:
Cliphead replied

6 February 2007, 12:24
Read the page:

"Do NOT protect anything important with a script like the one below. Either get Coffeecup's password wizard, find a CGI Script or ask your web host to set up an .htpassword file if you need to protect important information."
Leave a comment:
NewbieContractor replied

6 February 2007, 11:34
dickhead - sorry i mean cliphead

Knowledge is basic - but not THAT basic..

You can not class a site as secure if u can see the password in the source code..
Leave a comment:
Cowboy Bob replied

5 February 2007, 22:11
Originally posted by Cliphead

Have a look at this for simplicity

http://www.2createawebsite.com/enhan...d-protect.html

LOL, what's stopping someone just navigating directly to page2.html in that example?

I know HTTP basic authentication isn't 100% secure, but it will keep all but the most determined hacker out. As for that script...
Leave a comment:
Cliphead replied

5 February 2007, 21:12
Have a look at this for simplicity

http://www.2createawebsite.com/enhan...d-protect.html
Leave a comment:
NewbieContractor replied

5 February 2007, 12:59
Maybe i should mention, that net security is not my main skill in life.. so as simple ways as possible is always helpful

Thanks so far!
Leave a comment:
DimPrawn replied

5 February 2007, 12:02
Originally posted by Weltchy

You can do this on IIS by turning on any of the authentication methods and switching anonymous access off. When someone logins in, a popup will automatically ask for the user to login. You then need to ensure that they have a user account on the server!!!

If you do this, bear in mind that each user will require a CAL on the webserver.

Alternatively, buy an ISAPI filter that allows you to use Basic or Digest Authentication but store your users in a database or text file, negating the requirement for Windows CAL's
Leave a comment:
Weltchy replied

5 February 2007, 11:41
You can do this on IIS by turning on any of the authentication methods and switching anonymous access off. When someone logins in, a popup will automatically ask for the user to login. You then need to ensure that they have a user account on the server!!!
Leave a comment: