Much good website design is nearly invisible. There are many features that can have a large impact on the user experience while not being immediately apparent. Web security is one such feature. All websites should prioritize security. However, librarians should be particularly interested. Patrons should feel assured of the veracity of the web content they are accessing on a library’s domain, as well as the security of any data they may be sharing.

THAT LAST LETTER MATTERS

There are many facets of web security, but for the sake of brevity, this column focuses on the importance of HTTPS.

HTTPS stands for Hypertext Transfer Protocol Secure. It ensures that the data you’re giving and receiving from a website is encrypted. The old protocol, HTTP, transferred this data in plain text. Think about data you put online, such as passwords when you log in, or your credit card number when you make a purchase. You do not want those to be plain text, especially because someone on the same Wi-Fi network could monitor your activity, and may want to do something malicious with the intercepted data. This is known as a Man in the Middle attack, and is not uncommon, especially on unsecured public networks being accessed by a lot of people simultaneously, such as free Wi-Fi at an airport or coffee shop—or a library. Patrons may not be putting their credit card number on your library website, but their inquiries should remain private, as they would be if asked in person.

Most web browsers now alert users to a website’s security based on whether or not HTTPS is present. A browser may even actively dissuade users from visiting a website that it deems “not secure.” Furthermore, search engines may suppress websites that do not use HTTPS when displaying search results. Given these measures, without HTTPS, users may never even make it to your website, or feel they cannot trust it.

HTTPS is widely used, but is not yet universal. For instance, at press time, the American Library Association’s (ALA) website did not use HTTPS. There are many reasons why websites do not yet use HTTPS, but some site owners assume that it is prohibitively expensive, challenging, or time-consuming to implement.

IMPLEMENTING HTTPS

Fortunately, that is not the case. Let’s Encrypt, a project created by the Linux Foundation, is a Certificate Authority that offers free Secure Sockets Layer (SSL) certificates. It is sponsored by major organizations such as Mozilla, Google Chrome, and ALA. Additionally, many web hosts offer support for enabling HTTPS, so it should not require too much time or energy to put in place. The website doesmysiteneedhttps.com answers many additional questions about getting started with HTTPS.

BEYOND HTTPS

Further measures you can take to bolster your library’s website security include ensuring that the software your site uses is up to date. There might be vulnerabilities in your system that have been resolved by recent software updates. Library systems could also impose requirements on password creation, such as not allowing words found in the dictionary, or mandating a number and/or special character be included. Staff should be reminded not to click on links from email addresses they do not recognize, and to verify the email addresses on messages they receive from people they know. This can help prevent malware and ransomware attacks and attempts at phishing, helping to ensure your library is less of a target for hackers.

Sabrina Unrein is a former software developer and current MLIS candidate and Wilhelm Scholar at Syracuse University's iSchool.