One of the big benefits of static websites is simplicity. Static websites are simple so there is much less to worry about. There are no login credentials to be compromised. There is no dynamic content that must be stored and displayed. There is no danger of a bug in the code allowing SQL injections. But there are still things that should be done to secure a static website. In this blog post I will list some of the important things that still need to be done to provide a secure static website.
HTTPS
It should go without saying in 2022 that you should be serving your static website over HTTPS. Free SSL certificate providers like Let’sEncrypt make this easy. "HTTPS protects privacy and integrity of the transmitted data which is desirable even with static content".
HSTS
In addition to SSL you can also tell your visitor’s browsers that they should only connect over HTTPS in the future with the Strict-Transport-Security header. This prevents HTTP-downgrading attacks.
Keep Your Webserver Secure
If you are running your own web server there is a lot you’ll need to stay on top of to keep it secure. Proper configuration, application of security patches, and routine upgrades are all essential for keeping the web server secure. Running a web server securely is outside the scope of this blog post. Refer to the documentation of the web server you are running for recommended configuration, patching, and upgrades. A much easier approach is to use a hosting company that provides managed HTTP servers. I like (affiliate link) OpalStack.
Limit File Permissions
Don’t allow other users on the server to read or write the files served by your web server. Permissions should be restrictive and only allow your user to read/write and the web server to read.
Keep Content Safe for Your Readers
Check for Broken Links
Check your links periodically. You might wind up with broken links due to expired domains or sites that no longer exist. Sometimes expired domains will be re-registered to route traffic to spam sites.
Don’t Hotlink Images or JavaScript from Other Websites
This should go without saying, but serve your own known-good assets rather than trying to save bandwidth by serving the assets of others. If a third-party asset you are linking to gets compromised you could potentially cause your visitors to load malicious scripts.
Be Careful with JavaScript
I’ve chosen to avoid JavaScript for the most part so I don’t have any specific advice to give. I did find a blog post that dealt with the JavaScript-specific issues that can arise on a static website. I suggest following the advice given in that blog post.
Make Reporting Website Issues Easy
If someone finds a security issue with your website you want to make it as easy as possible to report. Display clear instructions on your website explaining how to be contacted securely to report security issues. Also add a security.txt file to make finding your contact info and security policy easy.
Conclusion
Securing static websites is fairly straightforward, but there are still many things to do if you want to provide the most secure experience for your visitors. Hopefully this list is useful to you and will inspire you to further improve the security of your static website.