Loading...
 
Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services.

Web Application Security

Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.1

Modern web development has many challenges, and of those security is both very important and often under-emphasized. While such techniques as threat analysis are increasingly recognized as essential to any serious development, there are also some basic practices that every developer can and should be doing as a matter of course. 2

Resources

Books

Web Application Security Web Application Security: Exploitation and Countermeasures for Modern Web Applications - While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking--until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply.


Tools

Lighthouse is an open-source, automated tool for improving the quality of web pages. You can run it against any web page, public or requiring authentication. It has audits for performance, accessibility, progressive web apps, SEO and more.

You can run Lighthouse in Chrome DevTools, from the command line, or as a Node module. You give Lighthouse a URL to audit, it runs a series of audits against the page, and then it generates a report on how well the page did. From there, use the failing audits as indicators on how to improve the page. Each audit has a reference doc explaining why the audit is important, as well as how to fix it.3

Owasp Zap The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. 4

HTTP headers

  • HTTP headers let the client and the server pass additional information with an HTTP request or response.
  • OWASP Secure Headers Project - The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.

HTTP Strict Transport Security

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. 5

Nginx Configuration
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";


To have Apache transfer the HSTS headers we need to add the headers module to the configuration (/etc/apache2/httpd.conf):

Apache
LoadModule headers_module modules/mod_headers.so

Apache Configuration
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

X-XSS-Protection

The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline'), they can still provide protections for users of older web browsers that don't yet support CSP.6

Nginx Configuration
add_header "X-XSS-Protection" "1; mode=block";
Apache Configuration
Header set X-XSS-Protection "1; mode=block"

X-Frame-Options

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Nginx Configuration
add_header X-Frame-Options SAMEORIGIN always;
Apache Configuration
Header always set X-Frame-Options "SAMEORIGIN"

Enable Referrer Policy

Nginx Configuration
add_header Referrer-Policy "no-referrer-when-downgrade" always;
Apache Configuration
Header set Referrer-Policy "no-referrer-when-downgrade"

Enable protection from "mime" based attacks

Nginx Configuration
add_header X-Content-Type-Options "nosniff" always;
Apache Configuration
Header set X-Content-Type-Options "nosniff"

Security

An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. 7

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.


Last edited by MichaelAlber .
Page last modified on Monday July 26, 2021 11:34:57 PDT.

Books