Project Pointers
Got this from a comment on slashdot by raddan. Seems like good advice…
- Never pass unvalidated input to your database
- Never pass unvalidated input to the system
- Always validate on the server-side; client-side validation should only function as a convenience to the user
- Validate data coming from other servers (if you’re doing any web services stuff).
- Encrypt connections to the server
- Enforce inactivity timeouts
- Do not allow multiple logins to the same account (unless you want your game to application to work that way)
- Always authenticate users; consider using two-factor authentication (CAPTCHA + password, etc)
- Allow administrators to revoke accounts
- Make it easy for administrators/force administrators to sandbox/chroot your application
- If your applications needs to use server storage, consider DoS attacks (a user uploading lots of stuff)
- Make sure all privileged actions hit the same authentication class/function; if you change your authentication code, this ensures that the changes are applied across the board <– I catch newbie programmers making this mistake all the time!
If you do all of the above, your app might still not be “secure”, but breaking it will be a PITA.