Possible Replicates:
What are the security concerns I need to consider while coding?
What should a developer know before building a public web site?

If you are unable to or simply plain aren't likely to use SSL then you definitely should:

  1. 't be transmitting sensitive information.
  2. Using SSL doesn't build your website totally secure (guy-in-the-middle-attack).

If, however, you'll still insist upon trying to secure your site without SSL, or you simply need some general website security tips:

  1. Cipher form information using Javascript (XOR etc..) before posting (keep honest people honest).

  2. In your login page transmit an SHA (> 1) hash of the password inside a hidden area and obvious the password area while using onsubmit event from the form. Don't just send the password in plain text. Again make use of an sha (> 1) javascript hash.

  3. Don't pass information around while using query string. Should you insist upon while using query string, use AES file encryption having a per session key and initialization vector.

  4. Don't populate html controls that store value/text pairs with plain text ID's. Such things as AccountID/AccountName. Rather Populate all of them with (AES Encoded ID)/AccountName. As well as for Pete's sake don't concatenate and display the ID and it is connected Title string.

  5. Authenticate on each request. Quite simply, when the session continues to be valid then you ought to have a session variable to point when the user continues to be drenched in or otherwise. Otherwise, redirect or transfer towards the login page.

  6. For every request, if javascript isn't enabled and also you need javascript, simply display a hyperlink to or redirect to some page that describes how you can enable javascript in a variety of browsers.

  7. Create a mistake page that does not display a stack trace or other details about the website. It really includes a smiley face along with a friendly message onto it. Redirect all errors for this page.

  8. HTMLEncode all fields before storing these questions database or re-exhibiting the data.

  9. If page demands or login attempts happen too quickly, use captchas to ensure the user is human.

  10. Separate the database server on the internet server (i.e. don't run them on a single machine).

  11. Store a hash from the salted password and also the salt, rather than storing the plain text password.

  12. Secure your database server (subject of some other discussion).

  13. Secure your internet server (subject of some other discussion).

  14. Validate user input (GET and Publish data) before using it. (Range check etc..)

  15. Use parameterized queries rather than concatenating strings of SQL. This eliminates needing to correctly escape the SQL string for that database under consideration.

Any longer website security tips?