|
Security Recommendation
It is your responsibility to implement security, Media Road Inc. is not responsible for that, read the license agreement for details. After making sure everything is working in the production environment, we recommend you to:
| • | Delete SpeedCheck_manual_upload* from your web server |
| • | Hide all administrator reports files SpeedCheck_admin_report* from the public or password protect them. |
| • | Modify SpeedCheck_upload* so that the system deletes the file automatically. Refers to the advance configuration in Installation section. |
| • | In SpeedCheck.* set <param name="display_java_runtime_error" value="0"> Sometimes it is good to leave it as "1" so that your or your customers can report bugs to us, thus we can improve our product. |
| • | Tighten your /upload directory in file level permission. WARNING: This can be tricky and it may make SpeedCheck's upload stop working. Consult with your server administrator. |
| • | When creating your own scripts, always beware of SQL Injection when dealing with quotes ' and "" in your PHP/ASPX scripts. This can be a very serious problem if you write bad scripts. For more information, search "sql injection" in Google. |
Vulnerable: query = "insert into table value (' " + variable + " ')";
Assume variable is passed to the script by POST or GET, the above statement is vulnerable.
PHP: Always use qstr, e.g. $conn->qstr($query) . Refer to ADOdb database wrapper documentation.
ASP.NET: Always use StringBuilder with SQL queries. Refer to Microsoft .Net documentation.
ASP.NET, use Web.Config
<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>
PHP, edit PHP.INI
display_errors = Off
| • | Keep your web server software with the latest security patch |
|