secure webapplication online

I have a webapplication which id like to host online. The user logon consists of a hashed password which is saved in the db and verified via the code, simple but it was ok for a small office开发者_如何学C which had an onsite server.

However i dont think this will be suitable when the app is hosted online. Ive considered manually listing the client ip addresses in apache to block access from other machines.

Is there anything else i can do to make access secure? Certificates maybe?

What do you mean by "user logon consists of a hashed password"? Do you use hashed password in your session cookie? Well, anyway, this are some points to get you started:

1. use HTTPS only (with valid certificates)
2. don't use shared hosting (use VPS if you must)
3. store salted hashes of passwords in your database
4. if the db is not on localhost, use only encrypted connections
5. use secure and truly random session IDs
6. invalidate/expire your sessions on the server
7. you may consider client certificates if that suits your needs
8. watch for XSS, XSRF and similar vulnerabilities
9. use only POST requests for anything that changes any state or data
10. use a random token in POST parameters for anything that changes any state or data
11. don't rely on cookies only
12. use DNSSEC if possible

Those are just a few good rules of thumb to get you started.

First of all: Security isn’t something that just needs to be attached to make an application secure. It’s rather an attitude or a basic principle that needs to be considered within each thought and each line of code.

But besides that: OWASP, the Open Web Application Security Project, maintains a list of the Top 10 Most Critical Web Application Security Risks. Read it and try to understand each security risk. That is the fundamental knowledge you need to know to develop secure web applications (under the motto “know your enemy”).

Then read the OWASP Development Guide that describes guidelines on how to develop a secure web application and try to apply their recommendations to your existing application.