Home/ Questions/Q 8988527
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T22:01:31+00:00

As a more broad question I would like to ask what is the current

  • 0

As a more broad question I would like to ask what is the current best strategy for securing a website login. I know all of the basics, like salting a password, hashing the password, and using SSL to encrypt the transmission, but I feel that may not always be enough. What are the best, “hack-proof” methods out there?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your points are already the most important ones, additionally you can do this:

    1. Use a slow key derivation function like BCrypt to hash the password.
    2. Add the X-Frame-Options to the HTTP header of your login page, so that the page cannot be shown inside an iframe. This can help against clickjacking. In PHP this would look like that: header('X-Frame-Options: DENY');.
    3. Add the Content-Security-Policy to the HTTP header of your login page. If a browser supports CSP, this can be an effective protection against Cross-Site-Scripting. In PHP it would look like this: header("X-Content-Security-Policy: allow 'self'");.
    4. Regenerate the session id on the login page, to make session fixation more difficult.
    5. Use HTTPS for the whole site, this avoids lots of problems. If you need to switch between HTTPS and HTTP, then use a separate cookie for authentication, have a look at this example.
    6. Should your site be HTTPS only, then you can add the HTTP Strict Transport Security header. The HSTS can prevent users (that already visited your site once), from calling unsecure HTTP pages. This can help against SSL-strip.
    • 0