Web Application Security: 10 Best Practices

3. Cross-Site Request Forgery (CSRF) Prevention by Using a Key

CSRF is a type of attack that uses disadvantages of the HTTP protocol and forces the end users to execute unwanted actions on websites. If the victims use a malicious website created by a CSRF attacker, they perform an undesired function. For example, the target victims could send without knowledge a request to another server where the attacker compromises user data and associated functions, and performs some kind of harmful operations.

Any requests for data changes on the server as well as those that return personal data ought to be protected against the CSRF attacks.

One method is to transfer the secret key with each user request. This key should be among the POST, PUT, PACH, UPDATE options that an end-user sends. Before any action, the server checks the key.

4. Cross-Site Scripting Prevention by Using JavaScript

If there is an access to the client-server side, then you can change the js-script code. The essence of this method is to rewrite some DOM methods – particularly, the write method of a class document. This will make the creation of i-frames or other html-code for the XSS attacks or the placement of malicious code impossible. To do this, you shave to add the code:

HTMLDocument.prototype.defineGetter("write",function(){return null});

5. Preventing an authentication hacking attack

Everything is simple here: the attackers try to find passwords or session ID's and get access the desired information.

To protect yourself, you should do the following:

• Hash passwords
• Transfer session id in cookies (do not show session ID's in the URL)
• Use one session (when the user logs in, do not restore the old session, and when the user logs off – clear the session)

6. Preventing DDoS attacks

Denial of Service is an attack on a computer system with an intention of making computer resources inaccessible to users.

In fact, there is no way out to stop DDoS attacks. However, the consequences of DDoS attacks can be significantly reduced by properly configuring the router and firewall, and if you are constantly making analysis of anomalies in a network traffic.

You can prepare yourself for this situation:

• All servers that have direct access to the external network must be prepared for simple and fast remote work. A big advantage will be the presence of an additional administrative network interface through which you can get an access to the server if a main channel is used.
• The software that is used on the server must always be up to date. All holes are closed – the updates are installed. This will protect you from DoS attacks and bugs in services.
• On the closest step to the server – the nearest router – must be installed a traffic analysis system (Netflow) which will allow you to learn in time about the attack and to carry out all the measures to prevent it.

7. Use Cookies securely

Куки є дуже зручні для користувачів і для того щоб захиститися від взлому за їх допомогою потрібно: Ніколи не використовувати куки для зберігання високочутливий або критично важливої інформації. Наприклад, не використовувати куки для запам'ятовування паролів користувачів, так як це робить його неймовірно легко для хакерів, щоб отримати несанкціонований доступ. Потрібно шифрувати інформацію, яка зберігається в куки, які ви використовуєте.

To protect your application against attacks based on cookies vulnerabilities and to keep applications secure, you may:

• Never use cookies to store highly sensitive or important information. For example, do not use cookies to remember passwords. Otherwise, it may allow hackers to gain unauthorized access.
• Encrypt the information that is stored in the cookies you are using.

8. Set up cookies (to be secure)

To correctly use the cookies, they must be properly configured, so that they do not involve any risks to the user.

You have to set a reasonable expiration date for cookies. Of course, it's nice to know that cookies will remain in effect for the user for several months in a row, but the reality is that each of them represents a security risk.

In the server header settings, specify the Set-Cookie header with the HttpOnly parameter. And each of the cookies with this parameter will be available only for the server, but not for the client code (JS/VBS). This will protect against cookie-theft attacks.

9. Safe connection

Here I will tell you how to improve connection security:

• Change HTTP to HTTPS
• Apply and follow the content security policy
• Use TLS or SSH

TLS is a communication protocol that allows the client-server applications to communicate on the network while preventing unauthorized access and providing security communications that are not being tapped and recorded.

10. Server security

Here, I will tell how to set the server for safe operations.

• First, you need to update the server to latest operating system, then:
• Install Fail2ban – it is a daemon that monitors the attempts to login into the server, and it blocks suspicious activities, if any occur. It contains the basic configurations.
• Authorize on the server with the ssh key. To disable authorization, you need to enter a password. Once the user adds the key to a program, the system authorizes the user to log in.
• Install Firewall. Allow to operate through the required ports and close all the rest ports.
• Enable automatic updates for the operating system security – this will allow not controlling the status of a system and closing all the gaping holes in the safety.
• Install and configure Logwatch – it is a daemon that monitors the server logs and sends them to an email. This is useful as you can perform additional checks of the server and prevent all unauthorized access to it.

More information can be found here.

Conclusion

If you complete all of the above requirements, the web app will be fairly secure. However, you can never be 100 percent sure. Always keep the security system updated and monitor the WEB security trends.