Bezbednost sajta — Kompletni vodic

Sve sto treba da znate o web bezbednosti: napadi, zastita i 8 detaljnih vodicaa

$4.45M
Prosecna cena data breach-a (IBM 2023)
30K+
Sajtova hakovano dnevno
8
Detaljnih vodicaa
240+
Automatskih provera

1. Sta je web bezbednost?

Web bezbednost obuhvata sve mere i prakse koje stite veb sajtove i web aplikacije od neovlascenog pristupa, krade podataka i zlonamernih napada. U danasnje vreme, kada se sve vise posla, komunikacije i transakcija obavlja online, bezbednost veb sajta nije luksuz — vec apsolutna neophodnost.

Cak i mali sajtovi su meta napada. Automatski botovi skeniraju milione sajtova dnevno trazeci ranjivosti, bez obzira na velicinu ili popularnost sajta.

Statistika: Prema Sophos izvestaju, 30,000+ web sajtova bude hakovano svakoga dana. Vecina napada je automatizovana — botovi ne biraju mete po velicini.

2. Najcesci napadi na veb sajtove

Razumevanje pretnji je prvi korak ka zastiti. Evo najcescih tipova napada:

  • SQL Injection — napadac ubacuje maliciozni SQL kod kroz forme na sajtu i moze pristupiti celoj bazi podataka, ukljucujuci korisnicke naloge i lozinke.
  • Cross-Site Scripting (XSS) — zlonameran JavaScript kod se ubacuje na stranicu i izvrsava u browseru posetilaca, kradeci kolacice, sesije ili preusmeravajuci korisnike.
  • Cross-Site Request Forgery (CSRF) — napadac navodi korisnika da nesvesno izvrsi neku akciju na sajtu na kom je ulogovan.
  • Phishing — lazne stranice ili mejlovi koji imitiraju legitimne servise kako bi ukrali korisnicke kredencijale.
  • DDoS napadi — masovni zahtevi koji preopterecuju server i cine sajt nedostupnim za prave korisnike.
  • DNS napadi — DNS spoofing, cache poisoning i email spoofing bez SPF/DMARC zastite.
NapadOWASP 2021Uticaj
SQL Injection#3 (A03)Pristup celoj bazi
XSS#7 (A07)Kradja sesije/podataka
CSRFBio #8 (2013)Neovlascene akcije
Broken Access#1 (A01)Pristup zabranjenim resursima

3. Posledice hakovanja

Posledice uspesnog napada mogu biti razorne i dalekosezne:

  • Gubitak podataka — licni podaci korisnika, finansijske informacije i poslovna dokumenta mogu biti ukradeni ili obrisani.
  • Steta po reputaciju — poverenje korisnika je tesko povratiti. Google moze oznaciti sajt kao nesiguran.
  • Finansijski gubici — troskovi oporavka, pravne posledice, gubitak prihoda i potencijalne GDPR kazne do 4% globalnog prometa.
  • SEO penali — Google kaznjava hakovane sajtove snizenjem ranga, sto moze trajati mesecima.
  • Pravna odgovornost — pod GDPR regulativom, kompanija je odgovorna za zastitu korisnickih podataka.
Primer: British Airways je 2018. platio 20 miliona funti kazne nakon sto je XSS napad kompromitovao 380,000 platnih kartica.

4. Kako da zastitite svoj sajt

Postoje konkretni koraci koje mozete preduzeti vec danas:

  • SSL/TLS sertifikat — koristite HTTPS za enkripciju podataka. Besplatni sertifikati su dostupni putem Let's Encrypt.
  • Bezbednosni HTTP headeri — implementirajte CSP, HSTS, X-Frame-Options i druge headere koji stite od napada.
  • Jake lozinke i 2FA — koristite duge, jedinstvene lozinke i dvofaktorsku autentifikaciju.
  • Redovno azuriranje — odrzavajte CMS, plugine i sve zavisnosti azurnim.
  • Backup strategija — pravite redovne rezervne kopije na zasebnoj lokaciji.
  • API bezbednost — zastitite API endpointe autentifikacijom, rate limiting-om i validacijom.
  • Zatvaranje portova — skenirajte i zatvorite nepotrebne otvorene portove na serveru.

5. Nasi detaljni vodici

Svaki aspekt web bezbednosti smo obradili u posebnom, detaljnom vodicu:

HTTPS

SSL/TLS Sertifikati

Kompletni vodic za HTTPS enkripciju: tipovi sertifikata, Let's Encrypt, HSTS, TLS 1.3 konfiguracija.

 Headers

HTTP Security Headers

7 obaveznih headera: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy i COOP.

 XSS

Cross-Site Scripting

3 tipa XSS-a, realni primeri napada (Samy worm, BA), zastita: CSP, HttpOnly, DOMPurify.

 SQLi

SQL Injection

Tipovi SQL injection-a, prepared statements, ORM zastita, WAF i testiranje sa OWASP ZAP.

 CSRF

CSRF Napadi

Kako CSRF funkcionise, realni primeri (Gmail, Netflix), CSRF tokeni i SameSite kolacici.

 DNS

DNS Bezbednost

SPF, DMARC, DNSSEC konfiguracija, DNS napadi i zastita email-a od spoofing-a.

 Ports

Port Skeniranje

Top 10 kriticnih portova, Nmap skeniranje, firewall konfiguracija i zastita servera.

 API

API Bezbednost

OWASP API Top 10, autentifikacija, rate limiting, input validacija i JWT bezbednost.

6. Sta nas skener proverava

Nas Web Security Scanner vrsi pasivnu analizu vaseg sajta sa 240+ automatskih provera:

  • SSL/TLS sertifikat i HTTPS konfiguracija
  • 7 kljucnih bezbednosnih HTTP headera
  • DNS bezbednost: SPF, DMARC, DNSSEC
  • 11 osetljivih fajlova i direktorijuma
  • 10 kriticnih portova
  • 8 vulnerability pattern provera
  • JavaScript i API bezbednost
  • CORS konfiguracija i cookie bezbednost
Besplatno i anonimno: Skeniranje ne zahteva registraciju i ne modifikuje vas sajt. Radi kao obican browser koji posecuje vasu stranicu.
Skenirajte svoj sajt besplatno →

Website Security — Complete Guide

Everything you need to know about web security: attacks, protection, and 8 detailed guides

$4.45M
Avg data breach cost (IBM 2023)
30K+
Sites hacked daily
8
Detailed guides
240+
Automated checks

1. What is web security?

Web security encompasses all measures and practices that protect websites and web applications from unauthorized access, data theft, and malicious attacks. In today's world, website security is not a luxury — it is an absolute necessity.

Even small websites are targeted. Automated bots scan millions of sites daily looking for vulnerabilities, regardless of size or popularity.

Statistic: According to Sophos, 30,000+ websites are hacked every day. Most attacks are automated — bots don't choose targets by size.

2. Most common web attacks

Understanding threats is the first step toward protection:

  • SQL Injection — malicious SQL code injected through forms, accessing the entire database.
  • XSS — malicious JavaScript injected into pages, stealing cookies and sessions.
  • CSRF — tricking users into performing unwanted actions on authenticated sites.
  • Phishing — fake pages/emails mimicking legitimate services to steal credentials.
  • DDoS — overwhelming servers with massive request floods.
  • DNS attacks — DNS spoofing, cache poisoning, email spoofing.
AttackOWASP 2021Impact
SQL Injection#3 (A03)Full database access
XSS#7 (A07)Session/data theft
CSRFWas #8 (2013)Unauthorized actions
Broken Access#1 (A01)Access to restricted resources

3. Consequences of being hacked

The consequences of a successful attack can be devastating and far-reaching:

  • Data loss — users' personal data, financial information, and business documents can be stolen or permanently deleted.
  • Reputation damage — user trust is hard to regain. Google may flag your site as unsafe, driving visitors away.
  • Financial losses — recovery costs, legal consequences, revenue loss, and potential GDPR fines up to 4% of global annual revenue.
  • SEO penalties — Google penalizes hacked sites by lowering their rankings, which can last for months.
  • Legal liability — under GDPR regulations, your company is legally responsible for protecting user data.
Example: British Airways paid £20M fine in 2018 after an XSS attack compromised 380,000 payment cards.

4. How to protect your website

There are concrete steps you can take today to secure your site:

  • SSL/TLS certificate — use HTTPS to encrypt all data in transit. Free certificates are available through Let's Encrypt.
  • Security HTTP headers — implement CSP, HSTS, X-Frame-Options and other headers that protect against attacks.
  • Strong passwords + 2FA — use long, unique passwords and enable two-factor authentication on all accounts.
  • Regular updates — keep your CMS, plugins, and all dependencies up to date at all times.
  • Backup strategy — make regular backups and store them in a separate, secure location.
  • API security — protect your API endpoints with authentication, rate limiting, and input validation.
  • Close ports — scan your server for open ports and close any that are not strictly necessary.

5. Our detailed guides

Each aspect of web security is covered in a dedicated, in-depth guide:

HTTPS

SSL/TLS Certificates

Complete HTTPS guide: certificate types, Let's Encrypt, HSTS, TLS 1.3 configuration.

 Headers

HTTP Security Headers

7 essential headers: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, COOP.

 XSS

Cross-Site Scripting

3 XSS types, real-world attacks (Samy worm, BA), protection: CSP, HttpOnly, DOMPurify.

 SQLi

SQL Injection

SQL injection types, prepared statements, ORM protection, WAF and testing with OWASP ZAP.

 CSRF

CSRF Attacks

How CSRF works, real examples (Gmail, Netflix), CSRF tokens and SameSite cookies.

 DNS

DNS Security

SPF, DMARC, DNSSEC configuration, DNS attacks and email spoofing protection.

 Ports

Port Scanning

Top 10 critical ports, Nmap scanning, firewall configuration and server protection.

 API

API Security

OWASP API Top 10, authentication, rate limiting, input validation and JWT security.

6. What our scanner checks

Our Web Security Scanner performs passive analysis with 240+ automated checks:

  • SSL/TLS certificate and HTTPS configuration
  • 7 key security HTTP headers
  • DNS security: SPF, DMARC, DNSSEC
  • 11 sensitive files and directories
  • 10 critical ports
  • 8 vulnerability pattern checks
  • JavaScript and API security
  • CORS configuration and cookie security
Free and anonymous: Scanning requires no registration and does not modify your site. It works like a regular browser visiting your page.
Scan your site for free →