Even if your web site does not hold any national security document you should take the security of your web site seriously. This is especially important if you are selling products on your web site.
A typical setup is that you have one or more sales pages for your product and when a prospect clicks on an order link they are redirected to PayPal, 2CheckOut or some other payment processing service. This setup is good for several reasons, the most important being the fact that you avoid having to deal with credit card numbers and other sensitive customer information. So far in 2007 there have been published reports of more than 89 million identity records exposed from data breaches. See the Identity Theft Resource Center for some really scary reading. Leaving data theft worries to companies who specialize in handling financial information is a great strategy for most small businesses.
But that does not leave you totally in the clear. If you are selling a digital product that the customer can download immediately after the purchase, you need to ensure that the product is protected. There are many ways that web site owners inadvertently leave their valuable products unprotected – making them available for free to anyone who knows where to look.
Here are the 3 most common errors:
1. Easy to guess filenames.
If the title of your e-book is “AdWords Secrets”, then don’t name the file AdWordsSecrets.pdf. It is just too easy to guess that the URL for downloading your e-book might be www.example.com/AdWordsSecrets.pdf
At least add a version number or a date into the filename, e.g. AdWordsSecrets_v42.pdf or AdWordsSecrets_20070707.pdf. This will make it much more difficult to guess the filename and the URL.
2. Search engines indexing the download page or the product itself.
Today’s search engines are extremely efficient in spidering content on the web and keeping your web pages secret from search engines is becoming increasingly difficult. Even if you don’t have any public links to your secret product download page there are several ways that a search engine can find out about the page and index it. Once it’s indexed anyone who uses that search engine may see your product download page in the search results, and they can download your product for free.
You should regularly check what each search engine knows about your web site. In most major search engines you can use the site: operator, e.g. site:example.com, to get a listing of all the pages on your web site that have been indexed.
3. Improperly configured robots.txt
robots.txt is a text file that you can place on your web server to guide search engines to what content they are allowed to index and what is off limits. While this may prevent most search engines from indexing your secret web pages, it opens up another vulnerability: any curious web surfer is able to view your robots.txt file. If the file explicitly forbids search engines from looking in the /downloads or /report directories, then it’s very likely that’s where the secret files are stored. With this knowledge the web surfer can more easily find your product and download it for free.
You need to strike the right balance between protecting certain files and directories in robots.txt while not revealing too much about the structure of your web site.
Selling digital products online is a great business. Make sure that you get paid for the products that you have painstakingly created by following the guidelines above and applying common sense.
More details on how to protect your digital products can be found in my latest report: The Digital Security Report.