Web application security is a branch of information security that deals specifically with the security of websites, web applications, and web services. At a high level, web application security draws on the principles of application security but applies them specifically to internet and web systems.1
Modern web development has many challenges, and of those security is both very important and often under-emphasized. While such techniques as threat analysis are increasingly recognized as essential to any serious development, there are also some basic practices that every developer can and should be doing as a matter of course. 2
- How to Implement Security HTTP Headers to Prevent Vulnerabilities?
- HTTP Security Headers: An Easy Way to Harden Your Web Applications
- An Overview of HTTP Security Headers
- Hardening Website Security – Part 1: HTTP Security Headers
- Hardening Website Security – Part 2: User Session Cookie Security
- Session Management Cheat Sheet
- Secure and Reliable Systems: Can a system be considered truly reliable if it isn't fundamentally secure? Or can it be considered secure if it's unreliable? Security is crucial to the design and operation of scalable systems in production, as it plays an important part in product quality, performance, and availability. 3
Web Application Security: Exploitation and Countermeasures for Modern Web Applications - While many resources for network and IT security are available, detailed knowledge regarding modern web application security has been lacking--until now. This practical guide provides both offensive and defensive security concepts that software engineers can easily learn and apply.
Lighthouse is an open-source, automated tool for improving the quality of web pages. You can run it against any web page, public or requiring authentication. It has audits for performance, accessibility, progressive web apps, SEO and more.
You can run Lighthouse in Chrome DevTools, from the command line, or as a Node module. You give Lighthouse a URL to audit, it runs a series of audits against the page, and then it generates a report on how well the page did. From there, use the failing audits as indicators on how to improve the page. Each audit has a reference doc explaining why the audit is important, as well as how to fix it.4
Owasp Zap The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers. 5
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol.
Hypertext Transfer Protocol (HTTP) is an application protocol for distributed, collaborative, and hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web.
- HTTP headers let the client and the server pass additional information with an HTTP request or response.
- OWASP Secure Headers Project - The OWASP Secure Headers Project describes HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities. The OWASP Secure Headers Project intends to raise awareness and use of these headers.
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) lets a website tell browsers that it should only be accessed using HTTPS, instead of using HTTP. 6
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
To have Apache transfer the HSTS headers we need to add the headers module to the configuration (/etc/apache2/httpd.conf):
LoadModule headers_module modules/mod_headers.so
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
add_header "X-XSS-Protection" "1; mode=block";
Header set X-XSS-Protection "1; mode=block"
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <fr
add_header X-Frame-Options SAMEORIGIN always;
Header always set X-Frame-Options "SAMEORIGIN"
add_header Referrer-Policy "no-referrer-when-downgrade" always;
Header set Referrer-Policy "no-referrer-when-downgrade"
add_header X-Content-Type-Options "nosniff" always;
Header set X-Content-Type-Options "nosniff"
The Cache-Control HTTP header holds directives (instructions) for caching in both requests and responses. A given directive in a request does not mean the same directive should be in the response. 8
- What is cache-control? - Cache explained
- Best practices for cache control settings for your website
- Cache-Control for Civilians
Standard Cache-Control directives that the client can use in an HTTP request:
- Cache-Control: max-age=<seconds>
- Cache-Control: min-fresh=<seconds>
- Cache-Control: no-cache
- Cache-Control: no-store
- Cache-Control: no-transform
- Cache-Control: only-if-cached
The Pragma HTTP/1.0 general header is an implementation-specific header that may have various effects along the request-response chain. This header serves for backwards compatibility with the HTTP/1.0 caches that do not have a Cache-Control HTTP/1.1 header. 9
The Expires HTTP header contains the date/time after which the response is considered expired.
Invalid expiration dates with the value 0 represent a date in the past and mean that the resource is already expired. 10
An attack vector is a path or means by which a hacker (or cracker) can gain access to a computer or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. 11