Top 4 Bad Habits Web Developers Need To Forget

Web developers today wide elbow room when it comes to developing their sites, as we enter the age of modern Javascript-engine browsers capable of Web Assembly, WebGL 2.0 and advance Cascading Style Sheets. We already moved on from the dark ages of the web when web developers were forced to implement ‘hacks’ in order to fit their sites to the proprietary restrictions imposed by the infamous Internet Explorer 6. However, old bad habits of web developers still persist to this day. In this article, we enumerate those old bad habits and explain why those need to stop.

Laziness when it comes to updating
Be it the CMS (Content Management System), or the underlying MariaDB version that runs at the back-end, web developers need to end the habit of not updating the components of the website’s back-end. This is especially true when it comes to the extensions of the CMS, as they need to be updated as well to fix security bugs. It is unfortunate that some web developers will only take notice of the old version in the event a bad news such as a bug or an exploit is discovered in the software stack. Refuse from becoming a potential victim of security issues, by keeping the software stack up-to-date, the client’s brand will be heavily damaged if the website experience a security breach in the future.

Use of Unencrypted pages
With the popularity of letsencrypt.org, it is no longer an alibi for web developers to create a HTTP-only/unencrypted website. With the letsencrypt.org project, anyone can have a valid digital certificate acceptable by mainstream browsers without spending a dime. The Let’s Encrypt project states: “We give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free, in the most user-friendly way we can. We do this because we want to create a more secure and privacy-respecting Web.” Yes for HTTPS everywhere, it is no longer acceptable to have a site on HTTP-only mode, as modern versions of browsers will automatically label the site as ‘not secure’ by default, discouraging traffic to the site as people don’t see a green padlock on their address bar.

The Unimportance of Web Application Firewall
We are in the age of the web that is interactive, database-driven and powered by intense levels of JavaScript. Plugins from other 3rd party providers get installed as the web developers feel it, but most of them for aesthetic purposes only instead of being much more utilitarian. When it comes to plugins, the most important to have is a Web Application Firewall – which scans the site for vulnerable areas. Non-updated part of the site is an attack surface for threat actors and must be patched as soon as they become available.

Allowing weak authentication procedure
There are still some web developers that never impose password complexity requirements for the site they develop for their clients. Passwords such as Password123, OpenSesame, P@$$w0rd and qwerty should never be allowed in the system. A simple policy of increasing the password complexity, such as more randomness can help prevent brute force attacks from being successful.