Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Posted November 15, 2013 6:03pm by

website security

When building a website, how do you go about adding security? is it done by the web host? or is there coding that needs to be added to a file? ex. (html, css, js, php, ruby?)

4 Answers

November 15, 2013 6:06pm

Depends on what you're building, but it's your responsibility to make sure your website is secure. Depending on your host, they may or may not take care of server updates and security, so you need to know. Some hosts are very hands on, and will maintain your web server's security for you, others are completely hands off.

But when it comes to your website, you are responsibility to keep people from jacking your code. Whenever you accept input from a user, you are vulnerable. You always want to sanitize input, and escape output.

November 15, 2013 6:32pm

How do you go about sanitizing input and escaping output? How is user info kept secure?

November 15, 2013 6:41pm

I've not done much of any with RoR, but on both the PHP courses here, and the database courses, they do talk briefly about security for both the code and the database, and show you some things that can be done. Fortunately, PHP has some built in helper classes to sanitize input and escape output, and so much ROR, because if you notice if you just type in code into the forum, it strips out all of the tags unless you put it between four ```` marks.

What you learn here is enough for you to go out and find more information to make sure your are thorough. It's confusing and scary at first, but treehouse can at least give you some basics, and point you in the right direction for more advance stuff.

I wouldn't be surprised if they make web security it's own deal here at some point.

November 15, 2013 7:10pm

> is it done by the web host? or is there coding that needs to be added to a file?

It's your responsibility as the person who writes the code to make sure it's secure and server you host it on is secure.

It's just like building a house ... its your job as the builder to make it doesn't fall down and hurt anyone who happens to be inside.

If you aren't at a stage in your learning to know that code secure then you are responsible to keep your not-yet-safe code away from the public.To extend our analogy it's similar to knowing when people can safely occupy a building, before that point it's your job to try and warn people to keep people out of half finished buildings as they could be dangerous.

November 15, 2013 7:31pm

Digging this metaphor. I like it!

November 15, 2013 7:36pm

Kevin Korte - I'm seeing a "metaphore all the things" meme in our future

November 15, 2013 10:12pm

Sounds like that idea is a go to me! :)

November 15, 2013 7:47pm

Awesome, thank you. Last question. I use FileZilla to transfer files to a free website from 000webhost (just for experimenting) I can get it to connect via FTP protocol but when I try to use sFTP, the connection always times out and says it can not connect? Do web hosts have to support sFTP or are there other steps I need to take to get it to work?

November 15, 2013 7:59pm

Brian Bush - I just did a quick Google, they don't support SFTP however they do support FTPS which is different method to securely transfer files. A quick Google brought me to this thread: http://www.000webhost.com/forum/before-registration/19299-safe-file-uploads.html

If you are curious on how sftp and ftps are different:

FTPS (also known as FTP-ES, FTP-SSL and FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.

FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from Secure FTP, the practice of tunneling FTP through an SSH connection.

source: http://en.wikipedia.org/wiki/FTPS

November 15, 2013 8:10pm

Thanks! I tried googling it but I couldn't find anything. Appreciate the help!

November 15, 2013 8:21pm

Brian Bush -

> I tried googling it but I couldn't find anything.

It's all in search terms .

The first result on Google for 000webhost sftp is this page in that forum thread was where I found the link I posted above

November 15, 2013 8:48pm

Ah, appreciate the help!

Posting to the forum is only allowed for members with active accounts.
Please sign in or sign up to post.

Welcome to the Treehouse Community

Looking to learn something new?

Brian Bush

Brian Bush

website security

4 Answers

Kevin Korte

Kevin Korte

Brian Bush

Brian Bush

Kevin Korte

Kevin Korte

James Barnett

James Barnett

Kevin Korte

Kevin Korte

James Barnett

James Barnett

Kevin Korte

Kevin Korte

Brian Bush

Brian Bush

James Barnett

James Barnett

Brian Bush

Brian Bush

James Barnett

James Barnett

Brian Bush

Brian Bush