loader image

HTTP Security Headers – 5 Must Have Headers To Boost Your Website Security

HTTP security headers are a fundamental part of website security and should be of top priority to everyone who publishes anything on the internet. Once the headers have been implemented, they protect your website from the most common types of attack. These are XSS, code injection and click-jacking attacks (amongst others). The sad truth is, security headers are often overlooked in website audits and it’s a big oversight. This involves the security of your site visitors and your customers… how would you feel if the situation were reversed? It could be really damaging to your Brand if things go south. But the good news is, security headers are relatively simple to configure and will provide another layer of protection to help keep your website, and its visitors, safe.  

HTTP Security Headers make your website safer for everyone.


We encourage you to check your website free of charge right now by visiting Security Headers. They will grade your website from A+ to F. Prepare yourself, you might be in for a shock. This is a fast way of gauging how skilled your website developer is and how secure your web server and website platform is all at the same time. Why not type in your web developer or marketing agencies domain name and see how well protected they are too? For reference, here is ours:

 

Check your Website Security Headers


Here are the headers from our website, granted just an extract, but enough to see what they look like in action. Any modern web browser can reveal these by simply inspecting the page code and viewing the network information.

 

http security headers extra viewfule.com

 

So, now you’ve seen your website’ grade and where the headers live. It’s time to discover what they are, why they matter and how to add them. Here are five HTTP security headers that you should consider implementing on your website ASAP. There are many more headers, but these cover the basics. Please note, each one needs to be tailoured especially to your website and should not be copy and pasted from our examples. So we encourage you to reach out to your website developer for them to be safely implemented – or just ask us.

 

  1. HTTP Strict Transport Security (HSTS)

  2. Content Security Policy (CSP)

  3. X-Content-Type-Options

  4. X-Frame-Options

  5. Permissions-Policy

 

 

HTTP Strict Transport Security (HSTS)

The HTTP Strict Transport Security (HSTS) header tells the web browser that the entire website should only be accessed by a secure HTTPS protocol. Most websites only implement a 301 redirect from HTTP to HTTPS which simply isn’t secure enough. It’s very easy to intercept it with what’s called a ‘man in the middle’ attack. HSTS totally prevents this and forces HTTPS every time and for every session. This ensures the connection cannot be established through an insecure HTTP connection which could be susceptible to attacks. All modern web browsers support HTTP strict transport security except for Internet Explorer and some lesser browsers so this is highly effective and widely compatible.

Here is an example of what the header looks like. You can include the max age, subdomains, and preload:

  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Content Security Policy (CSP)

A content security policy (CSP) helps prevent attacks such as Cross Site Scripting (XSS) and other code injection attacks. It achieves this by defining content sources that are ‘approved’ and by doing so, allowing the browser to load them. All modern browsers currently offer full or partial support for content security policy and it won’t impact the delivery of the content if it’s loaded on an older web browser, it will simply not execute it.

There are many directives that you can use with Content-Security-Policy. The example below allows scripts from both the current domain which is defined by ‘self’ as well as AnaTrix the VIEWFULE Analytics Suite:

  • Content-Security-Policy: script-src ‘self’ https://www.analytics.viewfule.com

 

X-Content-Type-Options

The X-Content-Type-Options header prevent the web browser from ‘sniffing’ a response away from the declared Content-Type. This helps reduce the danger of drive-by downloads and helps serve the content the way you intended. Sniffing allows the browser to figure out what the element is (an image, text, etc) and then render that element. Hackers however will try to trick the web browser into thinking that a harmful JavaScript file is actually an image (for example), allowing the browser to download the file and then subsequently execute that file.

This is bad news for a site visitor, as it can lead to a ‘drive by download attack’. This is when there is an unintentional download of malicious code to your computer or mobile device that leaves you open to a cyber-attack.

Here is an example of what the header looks like with a simple directive:

  • X-Content-Type-Options: nosniff

X-Frame-Options

The X-Frame-Options security header helps stop click-jacking attacks. Click jacking is when a site visitor is tricked into clicking on a link or button (amongst others) which doesn’t do what they believed it would. This can be used, for example, to steal login credentials or to get the user’s permission, completely without their knowledge, to install a piece of malware. Thankfully this problem is very easy to address with this security header and is compatible with all web browsers since Internet Explorer 8.

Here is an example of what the header looks like with a simple directive:

  • X-Frame-Options: SAMEORIGIN

Permissions-Policy

Permissions Policy is a new header, formerly known as the Features Policy. It allows a website to control which features and APIs can be used in the browser. This is achieved by communicating whether or not features such as the Webcam, Speakers or USB access will be required as a part of the website experience (amongst others). By clearly defining these on the header, you are able to broadcast your intentions and be far more transparent with your site visitors.

Here is an example of what the header looks like with a simple directive:

  • Permissions-Policy: camera=(); speaker=(); usb=();

Your next steps.

At VIEWFULE, we take our clients website security seriously. HTTP Security headers are one tool we use to achieve this and when combined with a Premium SSL Certificate – it shows confidence and skill that you know how to keep your website secure for visitors and customers alike. Implementing them is specific to each website and impacts whether they use an online shop or make use of external sources. The web server that’s used also matters and varies depending on whether you’re using Apache, NGINX or Litespeed. So reach out for your FREE consultation and we’ll talk through implementing these security headers, specific to your use case, on your website.

Read More

5 BIG Reasons To Choose Us

VIEWFULE is Your Responsible & Trusted Web Services Company.

We are the Web Services Company that chose the responsible approach to business by putting Accountability, Community and Sustainability at the centre of our day to day operations. Asserting our Corporate Social Responsibilities, we proudly donate a percentage of our profits to organisations that champion sustainability and improve peoples lives around the world. We promote these 5 industry-leading commitments so you know you’re partnering with the right company:


You Own What We Create 100%.

Guaranteeing Ownership was one of our founding principles. You own 100% of your Website and any copy we write for you.

1 Tree Planted For Every New Client.
We partner with One Tree Planted, a non-profit dedicated to global reforestation. They help plant native trees within New Zealand.

We Are A Carbon-Negative Company.
Being Carbon-Neutral is simply not enough. We offset 50% more Carbon than we generate and aim for 300% within 5 years.

Percentage Of All Profits Donated.
We currently donate 2% of all our profits to causes the Sustainability Trust recommend. Improving homes and peoples lives every day.

‘Let’s Make It Right’ Policy.
This incorporates our Money-back Guarantee and Refund Policy. Please read our Terms and Conditions for more information.

We would love to help showcase your Brand online by championing your Website and we’ll get it found in major Search Engines too with our affordable search engine optimisation services. So reach out for your FREE consultation and experience the VIEWFULE difference today!

Read More

My new website is live… now what?

My new website is live.. now what?

Congratulations! Your new website is complete… There are many moving parts to a build, from coding to design and lastly to the content itself.

However, if you want to attract and retain customers, which let’s be honest… we ALL want. Then you cannot have a “set it and forget it” mentality. Marketing your business is not only about creating a presence on the web, it’s about maintaining it too.

It is therefore vital that you implement a ‘Website Update Schedule’ for your business.

Here are 4 reasons why a WUS is a wise decision:

1. Your business deserves to always shine in the best light.

Broken links, 404 pages, half-baked landing pages, slow loading times… your visitors will go elsewhere if they don’t find what they’re looking for… and FAST. The last thing you want is potential customers to become frustrated. It never ends well, and worse yet they’ll probably tell their family and friends not to come too.

Building trust is vital to operating a successful online presence. But at the end of the day, who’s going to want to enter their credit card or contact information when your website looks neglected? Ask yourself… would YOU trust this business?

Your website is the face of your organisation online, so invest the time and energy into keeping it current.

Actively monitor for bugs whilst simultaneously adding fresh content like blogs, articles, events and reviews. This way you kill two birds with one stone. We would recommend you do this at least once per week in order to keep your visitors engaged and to reap the long-term benefits of SEO.

2. Keep your website safe and secure for everyone.

You are not only responsible for protecting your own data, but you are also responsible for protecting your visitors’ data too. Security requirements are always changing, and nobody is safe – even big brands are targets for cyber-attacks and data breaches. To make this all the more challenging, if you are accepting visitors from countries within the European Union or US states such as California you are legally obliged to implement enhanced data security practices.

Towards the end of 2016, Uber announced the personal information of 57 million of their customers information and over 600,000 drivers had been hacked. To make matters worse, the company tried to hide the breach rather than report it.

In November 2018, Marriott International the hotel group came forward with information that cyber criminals had stolen the data of approximately 500 million of their customers.

Since hackers get smarter all the time, you need a program you can trust to keep your online assets safe.

Being proactive and protecting your website now is so much easier than dealing with the devastation, disruption and huge costs of a hacked site, lost data and destroyed Google rankings. And make no mistake, all of those negatives strike at once so it can be a scary time.

3. Secure backups, made regularly, will literally save your business.

A backup is a saved copy of your website, whether it’s from a day ago or a month ago. Backups are stored in files or in the cloud and can be restored if needed. There are two types of backup, full and incremental. They both have their benefits, but the full backup is the one you need to ensure is operating automatically and regularly.

If you don’t have a backup readily available and your website is hacked and wiped, you’d need to start over from scratch. You wouldn’t want all your hard work to disappear, would you?

4. Software updates are rarely automatic, but essential.

Software is ever-changing, whether it’s plugins and themes that need updating or security programs.

Your site isn’t going to run smoothly and will also be vulnerable to hackers if you don’t stay on top of software updates. The more often you update, the less likely you are to have problems.

Keeping your software updated also ensures your site loads quickly when visitors arrive; speed does have a direct impact on SEO.

Don’t miss vital leads or sales by neglecting content, security, backup and regular software updates.

Remember, spend a little money now and it will save you a fortune in case the worst happens tomorrow!

So, to recap. Ensure your ‘Website Update Schedule’ includes:

  • Continuous state-of-the-art monitoring and “next-generation application firewall” protection against spam, malware and other malicious attempts. 7G firewalls are particularly effective.
  • Ongoing automatic backups of your site in case it ever needs to be restored. Daily backups are expected these days as a minimum, in some cases hourly is recommended. Ensure the backups are stored away from the webserver itself and in a cloud location for further resiliency.
  • Check every page of your website for broken images and links so it runs smooth and fast. As you intend for your visitors to experience it. Have your Web Developers’ phone number handy if you spot something amiss (in many cases quick fixes are free of charge anyway so why wouldn’t you).
  • If you’re website is running on WordPress, make sure the ‘core’ is updated regularly (the latest is version 5.8 as of posting) and ensure your plugins are updated too for optimal performance and security. Make sure your webserver is running PHP version 7.4 or above. Many of our clients are now running on PHP version 8 for the enhanced security and performance benefits it brings.

Read More

How to Drive More Traffic to your Website

A purely online based business with no ‘brick and mortar’ presence needs traffic in order to make sales and succeed. Essentially, traffic is the life blood of an online business. Without a reliable and highly targeted flow of traffic the business will surely fail it’s simply a matter of time. Therefore, acquiring and driving that traffic to your website should form a central piece of your marketing strategy. This has never been more important than in 2021 as there are more than 2 billion indexed websites out there… you need to make it clear why the visitor should choose you and FAST!

It is possible to buy traffic to your website, however there are many reasons why this is not a wise decision. We will cover this on another article but for now we’re going to delve deeper into 5 PROVEN METHODS that absolutely will drive more effective and targeted traffic to your website.

1. Write fresh and unique content REGULARLY.

Your entire website should be full of relevant, unique and well written content from front to back. When visitors find interesting content on your website, they will learn to trust your business. By doing so, they will spend more time on your website, favourite it/ bookmark it and eventually buy your products or services. It’s a virtual certainty.

By posting lots of valuable information on your website, regularly, you will be viewed as a subject matter expert (SME) in your field. We recommend that most of our clients post at least one interesting and unique blog/article per week and share it across all their social media.

2. Search Engine Optimisation or SEO – is KING.

Making your website visible in search engines, known as being ‘indexed’, is essential. You need to ensure your home page and ALL YOUR SUB-PAGES are indexed too. Google currently holds a 90% market share of all search engines globally, therefore it would be very wise indeed that you spend most of your time promoting your website in Google.

Being on the first page of the search engines results page (SERP) will make you very popular. Traffic will increase, this is a fact. Investigate and test niche keywords and phrases and place these in your titles and in the rest of the content on your website to increase their density. But be careful not to ‘overdo it’, if you are believed to be keyword spamming this will negatively affect your website (don’t use the same keyword more than 12 times per page).

Usually, visitors search using keywords or phrases and as a result this increases the chances of your website being found for those specific keywords. Take your time on this, test test test and do more testing. You will find the sweet spot in time.

3. Pay Per Click or PPC Advertising WORKS.

However, it costs. That being said, Google often provides sign up bonuses for its system ’Google Ads’ which can add up to $100. So, keep an eye out for these promos. Depending on your industry, you will want to start out with a budget of anywhere between $500-$2000. You can write your own ads or pay others to do this for you, although YouTube can be really helpful and teach you a new skill. Nail the ads, the targeting options, and the time of day they run and you could be making sales within hours.

4. Join Forums related to your industry – ENGAGE with them.

Joining Forums, talking with other likeminded individuals and sharing your knowledge can be very powerful for gaining more traffic. Once again, this takes us back to that topic of the SME I mentioned earlier. Engaging with fellow members and making it clear how knowledgeable you are within your field will result in others wanting to learn more about you.

Find appropriate forums on the internet (Google search your industry, country and the word ‘forum’ as a start) and participate in industry specific targeted forums. The topics you interact with should align with the topics on your website. We would not recommend that you directly write your Website URL on the topics or within responses. This may breach forum rules (remember to check them) but do capatilise on your username and avatar being related to your business and remember to link your website in your signature as this is usually permitted.

5. Videos increase engagement by up to 300% – CREATE them.

Create videos, as often as you can. Discuss in them your business, you and the products or services you offer. Respond to questions and emails from customers this way too by recording a Q&A session. They say a picture speaks 1000 words…. Well, a video speaks 300% higher than that! Make sure you share them on YouTube, Vimeo, Dailymotion etc too and tag them accordingly. Today, many businesses use video marketing to drive traffic to their website and the simple reason for this is… IT WORKS! Ensure you post your Website URL on the video description as this will make it easy to link visitors straight to your website.

At VIEWFULE, driving traffic to our clients’ websites is a passion. Irrespective of your industry, we would love to work with you and for you to drive your traffic sky high. So, remember to reach out for your FREE initial consultation today.

Read More

Welcome to VIEWFULE

Welcome to VIEWFULE. We are new to New Zealand, having previously been based in the UK. We’re excited to share our global expertise with the local community here on the Kapiti Coast in Wellington.

VIEWFULE Logo 180

My name is Oliver Corby and I’m the Founder of VIEWFULE. I bring 17 years of specialist Retail IT skills to the Kapiti Coast. Over the course of my career, I have worked for small right up to large billion-dollar businesses. Such as The Body Shop, The Estée Lauder Companies and Louis Vuitton Moët Hennessey Group (LVMH) amongst others. From these experiences, I intimately understand the many methods a company can connect with its consumers. Some very effective and some not so.

Oliver Corby

I founded VIEWFULE with the simple mission of giving back. The Kapiti Coast has provided me so much, a beautiful baby girl being one. There is so much potential in this region with an extraordinary number of businesses eager to be known on the global stage. With my skills and experience, I can help them achieve this goal.

Kapiti Coast

I fully appreciate that no two businesses are alike and therefore each of our services are tailoured specifically to your business. Whether you need Retail IT Consulting services, guidance on choosing a new POS or CRM system. Or Web Design & Development work to draw out the most potential from your online image. We would be proud to work with you and for you to make your business shine in the best light.

One fine note, we also offer specialist SEO Services. Utilising a combination of ‘on page’ and ‘off page’ methods and the latest techniques for 2022 we can design a powerful strategy that will catapult your website to the front page of Google. Remember, if you aren’t ranking for your keywords then your competitors certainly will!

Once again, welcome and we look forward to working with you soon.

Ngā mihi,

Oli sig

Oliver Corby
Founder
VIEWFULE

Read More