At AddThis, we believe it’s important for owners and operators of websites to implement fundamental security practices for the collection and handling of their users’ online data. Here are some tips for making sure your site and your visitors’ information is kept secure.
What Should You Secure?
A good rule of thumb for the data you should secure is anything personally identifiable. Examples of “personally identifiable information” include usernames, passwords, email addresses, phone numbers, social security, and other government identification numbers and contact information.
Keep Your Data Close
The first thing you should do when writing your web application is to make sure that you’ve designed it in a way that makes sure personal information stays confidential.
First, be sure never to send usernames, passwords, or other sensitive information in the URL of the page. If you must collect sensitive information, use a POST form action rather than the default, which is GET.
If you use a GET request to send information, it’s added to the URL parameters. So if your login form doesn’t use POST, the URL will look something like this when it’s submitted:
All third party elements on that page will be able to see that URL, and the parameters. The same goes for session IDs in URLs. Store this in a cookie in the user’s browser, not in the URL to keep it out of the referring URLs that are sent with clicks to outbound links.
There’s an added benefit to this, which is that our share counters will show the correct count. If you put session IDs as a parameter in the URL, most share counters will consider that a different URL. For example, this URL:
Will show a different count from this URL:
So be sure that the only parameters in your URL are used for uniquely identifying that page, and all other information is communicated using other types of HTTP requests that don’t show parameters in the address bar.
Another key to preserving your users’ privacy is to make sure the information isn’t intercepted in transit. You can achieve that by using HTTPS connections when you deal with personal information. All AddThis tools work over http or https, so enabling this won’t break our tools on your site, and will give your users peace of mind and, in some cases like for PCI compliance, is required. Instructions for purchasing and implementing SSL certificates can be found through your web host. For most of them, it’s just a matter of buying the certificate from a certificate authority, and then filling in some forms in the host’s control panel.
Another important part of communicating securely is to avoid sending personal information, especially passwords, over email. The federated nature of email means that you can’t know the security of any link in the chain of systems that handles your email. Because of this you should treat email more like a postcard than like a letter in an envelope. For this reason you should never send sensitive information like passwords, credit card numbers, social security numbers or other personal information via email unless you attach it with an encrypted attachment.
Hopefully these tips will help you to implement better practices in your applications. To learn more about how AddThis is focused on privacy, attend our Privacy & Personalization webinar on August 13th at 2PM Eastern.