Protection of WEB App is of paramount importance and it should be afforded the same level of security as the intellectual rights or private property. Neglecting safety rules sometimes leads to catastrophic consequences. In this article I'm going to cover how to protect your WEB App.
It could be either a scammer or hacker who could leave on your website a comment or message similar to:
If you print this text directly to HTML without reviewing or debugging, the script will run on all visitors’ browsers. So, try to remove dangerous tags from the text and escape special characters.
For example, you can replace
" with < > ". After editing the code, you will get the following results:
If you have an access to the server, you can add headers such as:
X-Content-Type-Options, X-XSS-Protection, X-Frame-Options, X-Content-Security-Policy, Strict-Transport-Security.
Each of them will provide the expected degree of protection. Here, let’s look at each a little more closely.
X-Content-Type-Options, you should send the
nosniff value. This is a security feature that helps prevent attacks using in response the MIME type’s replacement. More precisely, the "stylesheet" and "script" files will not be loaded unless they match the correct MIME types. You can read more here: MSDN
X-XSS-Protection: 1; mode=block. If we put this header with the same values, we’ll enable the XSS filtering. And instead of scanning the page, if an attack is detected, the browser will stop its visualization. Read more: MSDN
X-Frame-Options with the
DENY value prohibits the page to be displayed in a frame, so that you can not use the page on other websites. Read more: MSDN
X-Content-Security-Policy – the value of this header must be formed based on the technical requirements for the website functionality, in accordance with w3
Strict-Transport-Security: max-age=expireTime, the time, in seconds, for which the browser should remember that this site has to be accessed only using HTTPS. This header lets a web site inform the browser that it should never load the site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead. Read more: MSDN
CSRF is a type of attack that uses disadvantages of the HTTP protocol and forces the end users to execute unwanted actions on websites. If the victims use a malicious website created by a CSRF attacker, they perform an undesired function. For example, the target victims could send without knowledge a request to another server where the attacker compromises user data and associated functions, and performs some kind of harmful operations.
Any requests for data changes on the server as well as those that return personal data ought to be protected against the CSRF attacks.
One method is to transfer the secret key with each user request. This key should be among the POST, PUT, PACH, UPDATE options that an end-user sends. Before any action, the server checks the key.
If there is an access to the client-server side, then you can change the js-script code. The essence of this method is to rewrite some DOM methods – particularly, the write method of a class document. This will make the creation of i-frames or other html-code for the XSS attacks or the placement of malicious code impossible. To do this, you shave to add the code:
Everything is simple here: the attackers try to find passwords or session ID's and get access the desired information.
To protect yourself, you should do the following:
Denial of Service is an attack on a computer system with an intention of making computer resources inaccessible to users.
In fact, there is no way out to stop DDoS attacks. However, the consequences of DDoS attacks can be significantly reduced by properly configuring the router and firewall, and if you are constantly making analysis of anomalies in a network traffic.
You can prepare yourself for this situation:
Куки є дуже зручні для користувачів і для того щоб захиститися від взлому за їх допомогою потрібно: Ніколи не використовувати куки для зберігання високочутливий або критично важливої інформації. Наприклад, не використовувати куки для запам'ятовування паролів користувачів, так як це робить його неймовірно легко для хакерів, щоб отримати несанкціонований доступ. Потрібно шифрувати інформацію, яка зберігається в куки, які ви використовуєте.
To protect your application against attacks based on cookies vulnerabilities and to keep applications secure, you may:
To correctly use the cookies, they must be properly configured, so that they do not involve any risks to the user.
You have to set a reasonable expiration date for cookies. Of course, it's nice to know that cookies will remain in effect for the user for several months in a row, but the reality is that each of them represents a security risk.
In the server header settings, specify the Set-Cookie header with the HttpOnly parameter. And each of the cookies with this parameter will be available only for the server, but not for the client code (JS/VBS). This will protect against cookie-theft attacks.
Here I will tell you how to improve connection security:
TLS is a communication protocol that allows the client-server applications to communicate on the network while preventing unauthorized access and providing security communications that are not being tapped and recorded.
Here, I will tell how to set the server for safe operations.
More information can be found here.
If you complete all of the above requirements, the web app will be fairly secure. However, you can never be 100 percent sure. Always keep the security system updated and monitor the WEB security trends.
In my current project I had a task to use twitter API. Twitter uses OAuth for authentication, which is pretty dreary. To avoid fiddling with it all the time, I've moved authentication to decorator. If key is available - nothing happens, just view is launched as usual. It's convenient that there's no need for additional twitter settings in user profile. Code is in article.
In order to check if user is authentcated in test, you can run: from django.contrib.auth import get_user class MyTestCase(TestCase): def test_login(self): self.assertFalse(get_user(self.client).is_authenticated()) self.client.login(username='fred', password='secret') self.assertTrue(get_user(self.client).is_authenticated())
Usually users' profiles are stored in single model. When there are multiple user types, separation is made by some field like user_type.Situation is a little more complicated when different data is needed for each user type.In this article I'll describe how I solve this task.