Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.1
Modern web development has many challenges, and of those security is both very important and often under-emphasized. While such techniques as threat analysis are increasingly recognized as essential to any serious development, there are also some basic practices that every developer can and should be doing as a matter of course. 2
Resources
- How to Implement Security HTTP Headers to Prevent Vulnerabilities?
- HTTP Security Headers: An Easy Way to Harden Your Web Applications
- An Overview of HTTP Security Headers
- Hardening Website Security – Part 1: HTTP Security Headers
- Hardening Website Security – Part 2: User Session Cookie Security
- Session Management Cheat Sheet
Related Topics
- Secure and Reliable Systems: Can a system be considered truly reliable if it isn't fundamentally secure? Or can it be considered secure if it's unreliable? Security is crucial to the design and operation of scalable systems in production, as it plays an important part in product quality, performance, and availability. 3
Books
Web Application Security: Exploitation and Countermeasures for Modern Web Applications - While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking--until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply.
Tools
Lighthouse is an open-source, automated tool for improving the quality of web pages. You can run it against any web page, public or requiring authentication. It has audits for performance, accessibility, progressive web apps, SEO and more.
You can run Lighthouse in Chrome DevTools, from the command line, or as a Node module. You give Lighthouse a URL to audit, it runs a series of audits against the page, and then it generates a report on how well the page did. From there, use the failing audits as indicators on how to improve the page. Each audit has a reference doc explaining why the audit is important, as well as how to fix it.4
Owasp Zap The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. 5
Cookies
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
HTTP headers
Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, and hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web.
- HTTP headers let the client and the server pass additional information with an HTTP request or response.
- OWASP Secure Headers Project - The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.
HTTP Strict Transport Security
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. 6
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
To have Apache transfer the HSTS headers we need to add the headers module to the configuration (/etc/apache2/httpd.conf):
LoadModule headers_module modules/mod_headers.so
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
X-XSS-Protection
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.7
add_header "X-XSS-Protection" "1; mode=block";
Header set X-XSS-Protection "1; mode=block"
X-Frame-Options
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <fr
add_header X-Frame-Options SAMEORIGIN always;
Header always set X-Frame-Options "SAMEORIGIN"
Enable Referrer Policy
add_header Referrer-Policy "no-referrer-when-downgrade" always;
Header set Referrer-Policy "no-referrer-when-downgrade"
Enable protection from "mime" based attacks
add_header X-Content-Type-Options "nosniff" always;
Header set X-Content-Type-Options "nosniff"
Cache-Control
The Cache-Control HTTP header holds directives (instructions) for caching in both requests and responses. A given directive in a request does not mean the same directive should be in the response. 8
- What is cache-control? - Cache explained
- Best practices for cache control settings for your website
- Cache-Control for Civilians
Cache request directives
Standard Cache-Control directives that the client can use in an HTTP request:
- Cache-Control: max-age=<seconds>
- Cache-Control: min-fresh=<seconds>
- Cache-Control: no-cache
- Cache-Control: no-store
- Cache-Control: no-transform
- Cache-Control: only-if-cached
Pragma
The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. This header serves for backwards compatibility with the HTTP/1.0 caches that do not have a Cache-Control HTTP/1.1 header. 9
Expires
The Expires HTTP header contains the date/time after which the response is considered expired.
Invalid expiration dates with the value 0 represent a date in the past and mean that the resource is already expired. 10
Security
An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. 11
