Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services.

Web Application Security

Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.1

Modern web development has many challenges, and of those security is both very important and often under-emphasized. While such techniques as threat analysis are increasingly recognized as essential to any serious development, there are also some basic practices that every developer can and should be doing as a matter of course. 2


  • Secure and Reliable Systems: Can a system be considered truly reliable if it isn't fundamentally secure? Or can it be considered secure if it's unreliable? Security is crucial to the design and operation of scalable systems in production, as it plays an important part in product quality, performance, and availability. 3


Web Application Security Web Application Security: Exploitation and Countermeasures for Modern Web Applications - While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking--until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply.


Lighthouse is an open-source, automated tool for improving the quality of web pages. You can run it against any web page, public or requiring authentication. It has audits for performance, accessibility, progressive web apps, SEO and more.

You can run Lighthouse in Chrome DevTools, from the command line, or as a Node module. You give Lighthouse a URL to audit, it runs a series of audits against the page, and then it generates a report on how well the page did. From there, use the failing audits as indicators on how to improve the page. Each audit has a reference doc explaining why the audit is important, as well as how to fix it.4

Owasp Zap The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. 5


An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.

HTTP headers

Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, and hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web.

  • HTTP headers let the client and the server pass additional information with an HTTP request or response.
  • OWASP Secure Headers Project - The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

HTTP Strict Transport Security

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. 6

Nginx Configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

To have Apache transfer the HSTS headers we need to add the headers module to the configuration (/etc/apache2/httpd.conf):

LoadModule headers_module modules/mod_headers.so

Apache Configuration
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"


The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.7

Nginx Configuration
add_header "X-XSS-Protection" "1; mode=block";
Apache Configuration
Header set X-XSS-Protection "1; mode=block"


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Nginx Configuration
add_header X-Frame-Options SAMEORIGIN always;
Apache Configuration
Header always set X-Frame-Options "SAMEORIGIN"

Enable Referrer Policy

Nginx Configuration
add_header Referrer-Policy "no-referrer-when-downgrade" always;
Apache Configuration
Header set Referrer-Policy "no-referrer-when-downgrade"

Enable protection from "mime" based attacks

Nginx Configuration
add_header X-Content-Type-Options "nosniff" always;
Apache Configuration
Header set X-Content-Type-Options "nosniff"


The Cache-Control HTTP header holds directives (instructions) for caching in both requests and responses. A given directive in a request does not mean the same directive should be in the response. 8

Cache request directives

Standard Cache-Control directives that the client can use in an HTTP request:

  • Cache-Control: max-age=<seconds>
  • Cache-Control: min-fresh=<seconds>
  • Cache-Control: no-cache
  • Cache-Control: no-store
  • Cache-Control: no-transform
  • Cache-Control: only-if-cached


The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. This header serves for backwards compatibility with the HTTP/1.0 caches that do not have a Cache-Control HTTP/1.1 header. 9


The Expires HTTP header contains the date/time after which the response is considered expired.

Invalid expiration dates with the value 0 represent a date in the past and mean that the resource is already expired. 10


An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. 11

Last edited by MichaelAlber .
Page last modified on Tuesday October 11, 2022 01:10:06 PDT.

Don't Panic