Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.1
Modern web development has many challenges, and of those security is both very important and often under-emphasized. While such techniques as threat analysis are increasingly recognized as essential to any serious development, there are also some basic practices that every developer can and should be doing as a matter of course. 2
- How to Implement Security HTTP Headers to Prevent Vulnerabilities?
- HTTP Security Headers: An Easy Way to Harden Your Web Applications
- An Overview of HTTP Security Headers
- Hardening Website Security – Part 1: HTTP Security Headers
- Hardening Website Security – Part 2: User Session Cookie Security
- Session Management Cheat Sheet
Web Application Security: Exploitation and Countermeasures for Modern Web Applications - While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking--until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply.
Lighthouse is an open-source, automated tool for improving the quality of web pages. You can run it against any web page, public or requiring authentication. It has audits for performance, accessibility, progressive web apps, SEO and more.
You can run Lighthouse in Chrome DevTools, from the command line, or as a Node module. You give Lighthouse a URL to audit, it runs a series of audits against the page, and then it generates a report on how well the page did. From there, use the failing audits as indicators on how to improve the page. Each audit has a reference doc explaining why the audit is important, as well as how to fix it.3
Owasp Zap The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. 4
- HTTP headers let the client and the server pass additional information with an HTTP request or response.
- OWASP Secure Headers Project - The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. 5
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
To have Apache transfer the HSTS headers we need to add the headers module to the configuration (/etc/apache2/httpd.conf):
LoadModule headers_module modules/mod_headers.so
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
add_header "X-XSS-Protection" "1; mode=block";
Header set X-XSS-Protection "1; mode=block"
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <fr
add_header X-Frame-Options SAMEORIGIN always;
Header always set X-Frame-Options "SAMEORIGIN"
add_header Referrer-Policy "no-referrer-when-downgrade" always;
Header set Referrer-Policy "no-referrer-when-downgrade"
add_header X-Content-Type-Options "nosniff" always;
Header set X-Content-Type-Options "nosniff"
An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. 7
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.