Web security
One of the most critical parts of developing software is thinking about the security risks involved when a user engages with it. There are many ways to combat hackers and un-wanted trouble makers, but there are even more ways to attack, and the systems for creating software are being developed faster than systems that protect us from online threats.
That poses certain problems so let’s go over some ways in which we can combat these pesky meddlers that want our information.
HTTPS & SSL
Secure hypertext transfer protocol or HTTPS is an extension of the HTTP. It is used for secure communication over a computer network and is used on the internet by the majority of websites. In HTTPS, the communication protocol is encrypted using Transport Layer Security or TLS. Formerly known as Secure Sockets Layer or SSL.
Using HTTPS provides us a reasonable assurance that we are communicating with the intended website without having to worry about pesky meddlers messing with our Twitter account.
CORS
Cross-origin resource sharing or CORS is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request.[3] It allows for more freedom and functionality than purely same-origin requests but is more secure than simply allowing all cross-origin requests.
Content Security Policy (CSP)
Content Security Policy or CSP is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting XSS and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.
This is a brilliant lecture about XSS and how to combat it with CSP.
Firewalls
A firewall is a system that filters network traffic. It can either let it pass or block it, according to some specified rules. For example, it can block incoming connections aimed at a certain port or outgoing connections to a certain IP address.
Firewalls can be as simple as a single piece of software, or more complex, like a dedicated machine whose only function is to act as a firewall.
An interesting example of a firewall is the Great Firewall of China.
It is the combination of legislative actions and technologies enforced by the People’s Republic of China to regulate the Internet domestically. Its role in internet censorship in China is to block access to selected foreign websites and to slow down cross-border internet traffic.
The effect includes: limiting access to foreign information sources, blocking foreign internet tools (e.g. Google search, Facebook, Twitter, Wikipedia, and others) and mobile apps, and requiring foreign companies to adapt to domestic regulations.
In order to bypass such restrictions, you need to use a VPN.
OWASP
The open Web Application Security Project or OWASP is a nonprofit foundation that works to improve the security of software. Through community-led open-source software projects.
Everybody can participate in this foundation through events and online groups such as slack channels.
OWASP has a list called OWASP Top 10. It is a standard awareness document for developers and web application security. It shows a list of the most common online security threats that developers should be aware of.
They encourage companies to adopt this list and start the process of minimizing the risks of attacks.
The top 10 security risks in 2020 are the following:
- Injection
- Broke Authentication
- Sensitive Data Exposure
- XML External Entities
- Broken Access Control
- Security Misconfiguration
- Cross-Site Scripting or XSS
- Insecure Deserialization
- Using components with known vulnerabilities
- Insufficient logging and monitoring
I recommend checking out their site for information about online security and how to develop a safer site for users. They have a bunch of valuable tools and recourses that are good to keep in your toolbelt.
