Website runs over internet and Internet is a public and insecure medium to deliver content of application. You will always find hackers who are trying to steal data, money or critical information from a website. Some of them do it for fun as well.
If your website becomes popular, it becomes more vulnerable. Here comes the eminent need to protect your website.
You need to protect your website by implementing these:
Repel Brute force attack
Attackers try to take your website down by trying to guess your credentials; and to do that they use programmed dictionary attack or something similar to figure out your credentials. You use captcha to validate such users so that programmatic attacks can be avoided. Remember to use server side captcha routine only.
Protect from “Denial of service” attack
This type of attack in intended to deny access of your web application to your viewers. They attack your web application by repetitive requests to your server using fake identities and from different IP addresses. This slows the server down which ultimately become non-responsive and the relevant users are denied of your services.
Write routines to identify the visitor’s IP address and access frequencies and block those IP addresses which are exhibiting this behaviour.
Implement anti phishing mechanism: By not allowing Return-URL method
To get your customer’s information, some malware infected websites tries to make your customers believe that they are the ones who is genuine and asks information from them. If a customer is not vigilant enough, he may end up sending information in the wrong hands. The customer will still believe that he is being cheated by you.
This happens because you have not blocked the road of redirect attack which causes this. Any URL on a website if appended with ReturnUrl (in case of ASP.NET) will redirect the user to the ReturnUrl address and server assumes it a valid way of redirecting from one area of the site/domain to other. This feature is misused by the hackers to pull the genuine customers of infected website toward them and get the important credentials and then sometime that information is sold out.
Whenever possible, try to stop this on any target server. I have given you one example with ASP.NET technology, but it is valid on any web server technology.
Use MVC pattern to make security upgrade easier on your application
Using MVC pattern for your development helps you in implementing security at one point and hence will be easier to upgrade whenever new types of threat are discovered.