Website security: A vital factor to maintain

Even at the dawn of the internet, when its adoption was still very confidential, the first cyberattacks were already happening. The very first cyberattack appears to have taken place as early as 1988, when only a few tens of thousands of computers were connected to the internet.

These days, these attacks are common and more frequent. This threat is almost invisible, transforms constantly, and concerns us all — whether we’re individuals, small or large companies, or administrations. This is the case, regardless of the scale of the internet exposure. Of course, the main web players and the most strategic economic players are much more exposed to it than the owner of a small website. However, everyone must ensure they have the right measures in place to guarantee optimal protection for their business

Website security: A vital factor to maintain

Why secure your websites?

Although this phenomenon certainly isn’t new, the number of cyberattacks has increased significantly in recent years. This number has quadrupled in two years, according to a report by the French National Agency for the Security of Information Systems (ANSSI). The particular context of the past two years has, of course, exacerbated the prevalence of this trend — providing fertile ground for vulnerabilities that are more easily exploited by cybercriminals.

Since early 2020, the healthcare crisis has highlighted many vulnerabilities within organisations. This is particularly true with the accelerated implementation of wide-scale remote working, sometimes associated with breaches of certain basic IT security rules. However, all of this is part of a long-term trend, and recent events have been a catalyst. For example, the number of vulnerabilities identified in the Common Vulnerabilities and Exposures (CVE*) database over the past decade has increased significantly, with a notable acceleration since 2017.

*The CVE is a publicly accessible list of cybersecurity vulnerabilities. This database is free to use.

As a leading cloud and web services provider, we place great importance on both the security of our infrastructures and that of our service users. At OVHcloud, our philosophy has always been to include a wide range of solutions by default that will help protect you, no matter which service level you choose. Of course, it is still important to stay informed regarding the proper implementation of basic IT security rules (e.g. secure access, regularly updating applications, CMS tools and associated plugins as part of web hosting plans).

Your opinion is important to us. This is why we recently launched a survey to ask you what your main expectations are for our web services. The feedback we received has revealed that many of you are expecting more features to better secure these services. In order to meet these expectations, and deliver increasingly innovative services, we’re offering new security solutions as part of our CDN option for shared hosting.

How do I secure my website?

Your security is one of our top priorities, so all of our web hosting plans include the following essential protections by default:

  • An SSL certificate to secure HTTPS connections to your website.
  • Anti-DDoS protection to protect servers in the event of an attack.
  • A new CDN Security option, compatible with all of our web hosting plans, so you can go even further in securing your websites.

Let’s Encrypt SSL certificate: HTTPS security for everyone

HTTPS protocol encrypts data between the visitor’s browser and your website. It also enables the browser to ensure that it is visiting the correct website. Today, it represents a standard for website security — and it is a guarantee of trust for your visitors. We offer this service free of charge and with no time limit, with all of our web hosting plans.

What is an SSL certificate?

If you would like to know more about these certificates, please read our page on the subject: your free SSL certificates via Let’s Encrypt.

For large or small projects, our anti-DDoS protection is free

Like any infrastructure hosted at OVHcloud, regardless of size, your website is protected by the most powerful anti-DDoS system on the market. It protects your website round-the-clock against distributed denial-of-service (DDoS) attacks, and we will alert you if any dangers occur.

Optimal protection with CDN Security

We want to support you as much as possible in ensuring that your websites are secure — whether they are personal or professional, small or large. This means you can stay as close as possible to market standards, and even exceed them.

The CDN Security pack is easy to use, complements the CDN Basic service (included for free with our Performance web hosting plans), and provides enhanced protection for your websites.

This all sounds great on paper, but what are the main additional features offered by this option?

Web Application firewall (WAF)

Let’s start by exploring one of the most advanced features of our CDN Security solution: WAF. The purpose of the Web Application Firewall is to detect and block attacks or data leaks from your website.

Built on ModSecurity (https://github.com/SpiderLabs/ModSecurity) and the OWASP CRS data set (https://coreruleset.org/), this option analyses requests for attack patterns, SQL injections, XSS vulnerabilities, and more.

For example: if an SQL injection attempt is made following a vulnerability in your content management system (CMS), the application firewall blocks the upstream request in order to protect your site. You can then wait for your CMS to be updated without it being affected. Please remember that security updates are essential for your website to work properly, and are part of our best practices.

The WAF can also analyse your website’s responses, and block a request that would return sensitive data. This is to protect against database leaks, source code leaks and technical information leaks on your infrastructure.

For optimal ease of use, the rules for this application firewall are managed by our team. There is currently a single profile that covers many types of attacks.

In the coming months, we plan to create a wider range of profiles designed to meet the specific aspects of certain content management systems. You can then select the profile you want for your project directly from the OVHcloud Control Panel.

HTTPS Redirect

Your SSL certificate cannot guarantee that 100% of the traffic to your website will be secure. Some requests may arrive unencrypted. This is where HTTPS Redirect comes in.

With this feature enabled, your Shared CDN will automatically redirect visitors using the non-secure version of your website to the HTTPS version, secured by your SSL certificate. As a result, the sensitive data exchanged between your visitors and the website will be encrypted, i.e. not freely accessible on the internet. This ensures maximum security.

How does HTTPS Redirect work?

Tip: combine the HTTPS Redirect option with the HSTS option for better use of the secure version of your site.

HTTP Strict Transport Security (HSTS)

HSTS is an option to notify your visitor’s browser that your HTTPS site is only accessible securely, and for a given period of time. By enabling this option, you can ensure that a visitor always returns via the secure version of your website, even if they are using a simple HTTP link.

How does HSTS work?

When a browser requests access to a resource on your website using HTTPS protocol, the Shared CDN adds a “Strict-Transport-Security” header containing a “max-age” field. This field indicates a duration, in seconds, from which the browser will only use HTTPS. The visitor’s browser will then cache the information, indicating that your website must always be used in HTTPS during this period. The period is then extended automatically each time the web user visits the website.

What is HSTS?

In a man-in-the-middle attack, an attacker would claim to be your website and collect confidential customer information. This type of attack is rendered impossible with HTTPS, because the attacker cannot certify that they are the holder of your website. The customer’s browser will block the website from loading.

With the HSTS option, the browser knows that your website is only accessible in HTTPS. This way, the attack will be detected by the visitor’s browser, as the fraudulent website will not be able to prove its identity via the SSL certificate.

Tip: The minimum recommended duration for the HSTS value is 6 months. It can be increased to 1 or 2 years once you are in production.

Mixed Content Management

When a visitor’s browser loads your website, if it is secured by HTTPS, it is essential to ensure that all your website’s resources are accessible in HTTPS.

To load properly, your website usually needs a lot of internal and external resources  (images, CSS, JavaScript, etc.). If your website gives the visitor’s browser HTTP addresses to load these resources, they will be blocked. A red padlock will then appear next to the address bar, indicating to the visitor that the site is not fully protected.

With the Mixed Content option, you can add a ‘Content-Security-Policy’ header to your HTTPS site, telling the customer’s browser to load all resources in HTTPS. This option is compatible with all modern browsers, and ensures that your website loads correctly.

This way, the valid lock indicating that your site is secure will always be available. All of your resources will also be delivered in HTTPS, even if they are defined in HTTP in your code.

However, if you are using resources that are external to your website, please ensure that the web server can communicate in HTTPS. Otherwise, the resource in question cannot be loaded.

Shared CDN comparison table

In this table, you will find all of the features included in each of our solutions. The CDN Basic is included free of charge with our Performance web hosting plans: simply enable it via the OVHcloud Control Panel.

In short, stay protected!

From unavailability and data leaks to hacking, an attack can have serious consequences. The inconvenience caused can often have a massive impact — your brand image may end up tarnished.

To avoid this, we wanted to make it as easy as possible to enable these protections. We also wanted to offer an easy-to-use interface with all the documentation you need to support you.

This way, you can get professional protection solutions managed by OVHcloud in just a few clicks, for the best price.

As the saying goes, prevention is better than cure. So make sure your websites are protected today.

Get the CDN Security now

Product Manager Web Cloud | + posts

Passionate about all kinds of web technologies, Product development, Mountain addict

Product Marketing Manager | + posts

Web, Marketing, Metal & Capybaras

IT Team Leader | + posts

Focused on Web performances and security

Alexandre Wicquart
+ posts
Thomas Du Boys
+ posts