An internet security expert shares 3 tips for building a secure website
Every Cybersecurity Awareness Month, the National Cyber Security Alliance and the Department of Homeland Security join forces to raise awareness about the significance of cybersecurity in everyday life. This year’s theme is “Secure Our World.”
These days, anyone can easily make a website — whether for business, to share a personal portfolio or to publish a blog. It’s also become a lot easier and more important to keep it secure. To help, today we’re sharing three actionable tips from internet security experts that everyone can use to make their websites more secure. These tips will help keep personal information and private data safe and help secure our world, one website at a time.
- Install a TLS certificate
A Transport Layer Security certificate (sometimes referred to as SSL) enables the encryption of data transmitted between your website and its visitors, protecting sensitive information. It’s a must-do if your website collects personal information, such as credit card info or logins with passwords, but experts recommend installing SSL for every website. Most registrars offer SSL certificates, and you can always install one yourself through Let’s Encrypt. - Opt for HSTS-preloading
The HSTS-preload list contains websites that modern browsers know only load over a secure, encrypted connection. It is the easiest way to ensure that connections to websites cannot be downgraded to an unencrypted connection, from the first time a visitor visits your website to every time after. There are two ways to get HSTS-preloading, which will be covered below. - Choose a secure hosting provider. Research and select a hosting provider with a strong reputation for security measures, such as firewalls, intrusion detection systems, and regular backups.
What many website owners don’t know is that bad actors may try to misdirect traffic, spy through open Wi-Fi networks, inject malware or tracking, or alter site content. They can use even a single page that isn't encrypted to gain access to the rest of your website. To help make your website more resistant to HTTP downgrade attacks, there are two ways to implement HSTS preloading:
- Add your domain to the HSTS-preload list and wait for browsers to propagate the change.
- Use a HSTS-preloaded top-level domain, such as .app, .dev, .page, .rsvp, and .day and receive the highest standard of website encryption from day one. There are no extra steps beyond installing an SSL certificate and no need to wait for browsers to update.
To make HSTS-preload available to more people, Google Registry is partnering with registrars to offer a 50% discount off our HSTS-preloaded domains this October. Visit safe.page/domain to get a secure domain today, and for more info on encryption and HSTS-preloading, check out this video.