At aviation logbook we take the security of your data very seriously and we have multiple security measures in place.
1.Secure connection over HTTPS/SSL
Hypertext Transfer Protocol Secure (HTTPS) is a communications protocol for secure communication over a computer network, with especially wide deployment on the Internet. Technically, it is not a protocol in and of itself; rather, it is the result of simply layering the Hypertext Transfer Protocol (HTTP) on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. The main motivation for HTTPS is to prevent wiretapping and man-in-the-middle attacks.
2. SHA1 secured session data
For higher security, Session data will be stored in SHA1 encryption algorithm which cannot be reverse engineered.
3. Session Fixation counter measures
In computer network security, session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID). Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data.
4. CSRF check to avoid brute force attacks
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
CSRF can also be dynamically constructed as part of a payload for a cross-site scripting attack, as demonstrated by the Samy worm, or constructed on the fly from session information leaked via offsite content and sent to a target as a malicious URL. CSRF tokens could also be sent to a client by an attacker due to session fixation or other vulnerabilities, or guessed via a brute-force attack, rendered on a malicious page that generates thousands of failed requests. The attack class of "Dynamic CSRF", or using a per-client payload for session-specific forgery, was described
5. For higher security session sweep time will be set to 20 mins
We will clear session data if user is inactive for more than 20 minutes.
6. CAPTCHAs for form security
A CAPTCHA (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human. We can prevent automated form submission using this technique.
7. Script/SQL injection counter measures
SQL Injection attacks remain a significant threat to enterprises. While SQL Injection countermeasures are a necessity, they are – unfortunately – not a single fix or even effective in a single application. SQL countermeasures must be consistently applied and tested to ensure security is maintained at the appropriate and optimum level, particularly after updates or configuration changes to your SQL systems.
8. Custom IP Tables to block all unnecessary ports
In computing, a firewall is a software or hardware-based network security system that controls the incoming and outgoing network traffic based on applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is not assumed to be secure and trusted. We achieve this using custom IP tables.