Is there a standard practice to securing an admin page for an application writte

Question

Is there a standard practice to securing an admin page for an application written in angular and nodejs or just in general? The admin page would approve/ban users and moderate comments.

Should it be web facing, able to be accessed just through a username/password? Or something fancy like ssh-only w/ X11 forwarding?

Right now I'm the only admin since I wrote the software, but I may eventually allow others to help moderate using their own combination of username/password. This might mean that non-tech users may be using it, so ssh-only might be too complex.

Is there something specific server-wise I should do for the admin page? I will deploy to a linux server (Ubuntu server).

Explanation / Answer

For low value sites, username and password is ok. There are a lot of sites that are just not worth hacking into, and where the risk/cost of compromise to you is fairly minimal compared to the cost of securing it.

For most sites though, you should require the use of HTTPS or VPN when doing administrative functions. There are now some SSL certificate authorities that provide basic domain-validated certificate for free that are trusted by all major browsers, so there's really no excuse not to use SSL when you need the security.

For high value sites, in addition to encrypting the communication, you should also require multi-factor authentication. You may want to require client certificate or a one-time password or a hardware token. This increases the difficulty of administration, but that is a reflection of how much you care about security.

It's always a balance between security and usability.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.