August 14, 2022

How To Secure Apache with Let’s Encrypt on Ubuntu 20.04

Let’s Encrypt is a Certificate Authority (CA) that facilitates obtaining and installing free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx. In this guide, we’ll use Certbot to obtain a free SSL certificate for Apache on Ubuntu 20.04, and make sure this certificate is set up to renew automatically. This tutorial uses a separate virtual host file instead of Apache’s default configuration file for setting up the website that will be secured by Let’s Encrypt. We recommend creating new Apache virtual host files for each domain hosted in a server, because it helps to avoid common mistakes and maintains the default configuration files as a fallback setup.

How To Secure Apache with Let’s Encrypt on Ubuntu 20.04 Read More

How To Secure Nginx with Let’s Encrypt on Ubuntu 20.04

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx. In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically. This tutorial will use a separate Nginx server configuration file instead of the default file. We recommend creating new Nginx server block files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.

How To Secure Nginx with Let’s Encrypt on Ubuntu 20.04 Read More

An Introduction to Let’s Encrypt

Let’s Encrypt is an open and automated certificate authority that uses the ACME (Automatic Certificate Management Environment ) protocol to provide free TLS/SSL certificates to any compatible client. These certificates can be used to encrypt communication between your web server and your users. There are dozens of clients available, written in various programming languages, and many integrations with popular administrative tools, services, and servers. The most popular ACME client, Certbot, is now developed by the Electronic Frontier Foundation. In addition to verifying domain ownership and fetching certificates, Certbot can automatically configure TLS/SSL on both Apache and Nginx web servers. This tutorial will briefly discuss certificate authorities and how Let’s Encrypt works, then review a few popular ACME clients.

An Introduction to Let’s Encrypt Read More

Web API Security and Best Practices

APIs often self-document information, such as their implementation and internal structure, which can be used as intelligence for a cyber-attack. Additional vulnerabilities, such as weak authentication, lack of encryption, business logic flaws and insecure endpoints make APIs vulnerable to the attacks outlined below: Man In The Middle (MITM), API injections (XSS and SQLi), Distributed denial of service (DDoS)

Web API Security and Best Practices Read More

Securing Web APIs and Best Practices

Web APIs are the backbone of an organization’s database. The downside of publicly available APIs is that they are risk factors to the API providers. APIs are the tools and interfaces that let third-party outsiders provide access to data through an endpoint – which is basically a server along with its database access. It is therefore important for all organizations, whether large or small, to make their APIs secure, particularly those which are available publicly.

Securing Web APIs and Best Practices Read More

3 Ways to Secure Your Web API for Different Situations

Security is an important part in any software development and APIs are no exception. Even for a public API, having control over who can access your service is a usual business requirement. As Web APIs are stateless in nature, the security context cannot depend on server session. Each request made to the API must attach some form of credentials which has to be validated on the server. The techniques discussed here is on authentication and authorization and does not encrypt transmitted messages. Message encryption is usually handled using the HTTPS protocol shared by the client and server.

3 Ways to Secure Your Web API for Different Situations Read More

Salted Password Hashing – Doing it Right

If you’re a web developer, you’ve probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users’ passwords if your website is ever breached. The best way to protect passwords is to employ salted password hashing. This page will explain why it’s done the way it is. There are a lot of conflicting ideas and misconceptions on how to do password hashing properly, probably due to the abundance of misinformation on the web. Password hashing is one of those things that’s so simple, but yet so many people get wrong. With this page, I hope to explain not only the correct way to do it, but why it should be done that way.

Salted Password Hashing – Doing it Right Read More