PremiumGiftCards: Security Improvements and optimizations
Selling giftcards is a risky business. I actually purchase them with my own money and then put them up for sale. Once the codes are out of my hands, I can’t get them back.
I designed the site to be as secure as possible. All inputs are validated to prevent SQL injection attacks, I don’t keep any Bitcoin private keys on the server, and my server is locked down so it only talks to Cloudflare.
I still had a suggestion from a whitehat hacker named Mohammed Al-saggaf to double check my email SPF settings and my website headers. While they were pretty secure, improvements were able to be made. If you ever want a quick penetration test, I suggest sending him a message. He’s a very nice guy from Yemen.
I’ve added some more headers to all of my pages to tell your browsers what sites you should trust when it comes to embedded CSS or JavaScript on my site. I also added a header that will prevent my site from being embedded in another fake site that’s clicking on things for you. You can view the entire security report at SecurityHeaders.io
My email settings were set to make it so other servers would be wary of emails not sent by my server or this newsletter service, but I’ve tightened it up so now any emails from other sources will be marked as entirely untrustworthy.
I also configured my backend connection to Cloudflare so they verify my server with a signed SSL cert and I verify the connection by demanding that their connection be signed too.
For optimization, I’m using the newest branch of Nginx and I enabled HTTP2. Page load times should be quite a bit better now. I’ll work on other optimizations over the coming days. I’m also planning to start symmetrically encrypting the gift codes in inventory before they’re sold, and asymmetrically encrypting the codes and order information after they’ve been sold.
Notice anything else I could do to make things better? Let me know!


















