Advice

5 Questions You Should Be Asking Your Web Developer

photo of Lara Tiu
Lara Tiu
5 Jan 2024
3 min read

Overview

It is imperative to prioritize security and sound development practices right from the outset. This approach not only ensures reliability and scalability but, above all, proactively safeguards your business and customers against cyber threats.

When you're planning to get a website for your business, it's important to ask certain key questions from your web developer or IT service provider. We’ve compiled a list of questions that should give you an understanding of what questions to ask and why.

If you require assistance with auditing, contact MomentPort today and we will be happy to assist you.

Question 1

What platform are you building the html / css / javascript (website) on and why?
Choosing the right platform for HTML, CSS, and JavaScript development is crucial, especially concerning security and performance. Security should not be an afterthought; it should be integrated into the development process. It's essential to select a web developer who uses a platform that allows for the export of clean HTML, CSS, and JavaScript code. The code must adhere to standards and be readily accessible to you. Accessibility ensures that your website can be hosted on any software, providing you with flexibility. Flexibility enables complete control over your site's performance and security. Full control also permits you to enhance security by editing the raw code before publishing, ensuring security compliance and significantly reducing your threat landscape.

It's crucial to avoid web developers who use building platforms that tie you to a specific hosting service, such as WordPress, Shopify, Durple, Weebly, or Wix. While these software applications attract non-technical users by allowing them to build and manage websites without coding, they come with serious caveats. In addition to the security considerations mentioned earlier, using these platforms results in limited customization, dependence on possibly outdated software, bloated code that slows down your website, and other compromises.

You should also be cautious about plugins; many CMS platforms like WordPress heavily rely on them. Plugins are add-on software components that extend functionality or add new features to the website, but they can be a double-edged sword. They provide additional capabilities without the need for coding but can also introduce security vulnerabilities. After all, your security is only as strong as the weakest link. The overall security of your website depends on the security of each individual plugin, often maintained by developers unknown to you.

In summary, a developer's choice of a platform without code export options could be seen as a sign of inexperience or minimal effort, neither of which is a justifiable trait in a professional web development company.

Question 2

What does your incident response plan (IRP) look like?
An incident response plan (IRP) is a comprehensive strategy designed to manage and mitigate the impact of a security breach or system outage. The essential elements of an IRP and what you should be looking our for are: (1) the implementation of regular data backups, ensuring that critical information is preserved and can be quickly restored. Additionally, a key component of the IRP involves (2) establishing a distributed computing environment. This approach ensures that if one server or data center experiences issues, the workload can seamlessly shift to another server located in a different geographical area. This not only enhances the system's resilience to localized disruptions but also minimizes downtime, ensuring business continuity and the protection of sensitive data. Another factor you should be looking out for is if the web developer (3) maintains detailed logs. This can help identify the source of the breach or outage.

Question 3

Once the website is built, who will be hosting and maintaining the web server and security protocols?
After your website is built, choosing a hosting solution is critical in your overall security landscape. The hosting solution for a website typically comprises several components – one for hosting static elements like images and HTML files, and another for dynamic elements such as API gateways. These dynamic components are essential for executing advanced functions like user authentication, database interactions, and the efficient processing of API gateway requests.

Whether selecting a hosting solution for the static or dynamic components of your website, it's crucial to engage a web developer committed to minimizing security risks. Opt for a developer who prioritizes highly automated hosting solutions, as this approach significantly reduces vulnerabilities and enhances the overall security of your website. Additionally, this mitigates human error and falling behind on important maintenance, which if not done may lead to a breach. For static components, you should look for anyone using Object Storage Services like Microsoft Azure Blob Storage, Google Cloud Storage, Cloudflare R2, and of course, Amazon Web Services (AWS) S3. As for dynamic components, cloud computing services such as Cloudflare, Microsoft Azure, AWS and Google Cloud are great choices as they provide robust development platforms covering API gateways, databases, and authentication, with little to no maintenance. Additionally, cloud-based solutions often offer better scalability, which is important for websites of all sizes.

Before launching your new website, it's essential to ensure that your web developer has undertaken security hardening measures. A fundamental yet often overlooked step is the correct configuration of security headers. Security headers are server response headers sent from a website to the browser, instructing the browser on how to behave when handling the site's content, thereby mitigating risks associated with client-side attacks like cross-site scripting (XSS), clickjacking, and other code injection attacks [1]. Configuring security headers is a delicate art, and watch out for any developer who whitelists everything with wildcards on the site as it severely weakens its protection.

Equally important is the implementation and maintenance of a Web Application Firewall (WAF). A WAF serves as a protective barrier for web applications, filtering and monitoring HTTP traffic between the web application and the Internet. It effectively shields against various web-based attacks, including but not limited to cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection  [2]. Leading WAF solutions, like Cloudflare WAF, AWS WAF, and Azure WAF, offer robust protection tailored to counter these evolving threats efficiently.

After a hosting provider has been chosen, the work does not stop there. Maintenance is as important as the initial secure code-focused design. Any organization or individual you work with should have a clear understanding of who will be maintaining the website and what the average turnaround is for patching vulnerabilities, if not automated. Security is an ongoing process, and while automated solutions reduce vulnerabilities, they are not infallible. Regular security audits and manual checks should be emphasized.


[1] https://help.deepsecurity.trendmicro.com/20_0/on-premise/http-security-headers.html
[2] https://www.cloudflare.com/learning/ddos/glossary/web-application-firewall-waf/

Question 4

Will my website include any code utilizing server-side processing (and if so, what and why)?
Server-side processing is the act of sending information to a server to be processed, and then a result is returned to the end user's web browser. While server-side processing can be a valuable tool to enhance security, and is often required for many applications like authentication, over reliance upon server-side processing can actually create a less secure environment, especially if unmaintained or not configured correctly.  

A competent web developer should understand why each and every piece of information is being sent for server-side processing and be able to explain that to you. For example, let’s say we have a website where the only dynamic element is business hours. This information could be retrieved efficiently by pulling in a JSON data file containing all holidays and regular hours from the server and then parsing and displaying the information based on the current day using JavaScript locally in the browser.

Alternatively, it could also be done by sending a request on page load to the server with the current date attached, and then the server needs to compare the current date to a database of hours and send that data back. The second approach may introduce a security vulnerability, as it involves taking a field that is potentially editable by the end user and processing it on the server, and it also adds steps that affect load times. A prime example of overusing server processing can be found in WordPress, where the platform's architecture relies heavily on server-side processing for even basic content display in many cases. This can lead to slower performance and an increased security threat landscape.

Question 5

Does your hosting and data handling meet my specific compliance requirements?
Depending on the industry that your business operates in, you might need to adhere to industry-specific compliance standards and regulations such as ISO 27018, which is a set of standards that specifically address the protection of personally identifiable information (PII) in cloud computing environments for data protection. Another example is if you work in healthcare in the USA, you may need to take HIPAA compliance into consideration as HIPAA is a U.S. federal law that sets forth regulations for the healthcare industry to protect the privacy and security of patients' protected health information (PHI).

It's worth noting that many web developers will not have a complete understanding of your industry. Therefore, conducting comprehensive research and due diligence before embarking on any project is essential.

Meet JADA. Your business's first AI Representative.

Just AskJADA

Learn More