Monday, April 23, 2018

How to Ace the Lighthouse Security Audit

More of our activity and information is on the web than ever before. For most brands, stores, companies, and restaurants, their website is the first–and often most constant–form of contact with customers. They are looking for a positive, innovative, and informative experience with your website–but, they shouldn’t be putting their information and data at risk just to connect with you. That’s why Google’s Lighthouse Audit is so important–it’s a one-stop shop to ensure your website is performing well.

Google’s Lighthouse Audit is a tool developers use to test web pages based on five audit references: Performance, Progressive Web App (PWA) Compliance, Accessibility, Best Practices, and SEO Score. Once you provide Lighthouse with the URL you want audited, you will receive a generated report with scores in all five categories.

Each audit category contains criteria which the web page must fulfill in order for pass that portion of the audit. For now, let’s hone in on security and see what Lighthouse’s audit looks for in security measures, as well as some of our tips to achieve a high security score.

Making the Move To HTTPS
All web pages should be protected by HTTPS–regardless of the type of information the page contains. HTTPS creates a secure connection by encrypting data before sending either way through an SSL (secure socket layer) certificate. This allows you to protect your users from intruders that tamper with or listen in on communications. The key to this security is in the form of the SSL certificate, which uses keys to encrypt data that makes it very difficult to crack.

Unfortunately, you have to worry about more than just your main site being protected–all unsecure HTTP traffic must be redirected to a more secure HTTPS connection. This is called a mixed content error, and if you’re not careful, your page might not work properly if unsecure resources are getting blocked.

Passwords and Authentication
Ensuring secure passwords and authentication is a key aspect of a secure platform. Contrary to popular belief, preventing users from using the paste option in a password field does not make the site more secure. By allowing the paste option, users can utilize password managers to not only paste the appropriate password, but also generate highly secure password combinations. To allow for utilization of this feature, remove the code that prevents users from pasting into password fields.

In addition, two-factor authentication is becoming increasingly popular in online security. The most commonly used form is after entering your password you receive a text with a verification number, which you are prompted to then enter on your phone. This means anyone who may be trying to hack into your account would need to know your password and have access to your mobile phone.

Securing Javascript Libraries
There are billions of websites that have interactive capabilities, many of which have the same qualities. Although it is possible for developers to create unique codes each time they bring a new site or new set of capabilities to action, it’s more common that they choose to reuse already available code. In Javascript, this is referred to as developing a library. The library is essentially a file that contains all of the functions that complete a specific task on your web page–for example, there is a library that has all instructions that are vital to having a functioning scrolling image gallery on a site.

Sharing and reusing sounds like a simple and time effective situation, right? Unfortunately, this has led to outdated JavaScript libraries being used on websites, opening the site to potential threats. Thirty-seven percent of sites recently surveyed in a research study were found to have at least one vulnerability. In order to fully protect your site, be sure to pay attention to the libraries flagged by Lighthouse so that there are not vulnerabilities for web crawlers to detect.

Security is an important aspect of your site not just to pass the Lighthouse audit but also to provide users with a positive and safe user experience. Take the time to ensure all boxes are checked. Your site, your users, and your business will thank you.