I recently shared the following QR code with my work's Slack group:
Pro tip: never just scan a random QR code without checking it with a service...
For further actions, you may consider blocking this person and/or reporting abuse
Thank you for sharing this post! I really enjoy seeing people picking up this topic and sharing their ideas and thoughts.
You are bringing up CSP as a measure to prevent certain kinds of attacks, this is a very powerful but also a complex security feature. In my experience, if you do not start with a very strict CSP right from the beginning you will have a hard time adding it later to a production site without breaking anything.
I really like the way that Google explains all of it here:
developers.google.com/web/fundamen...
And the Owasp site is always a good starting point as well: owasp.org/index.php/Content_Securi...
There are a few more headers that already improve the basic security of any web app quite a bit and are easier, if not even trivial to implement.
The most important and notable ones are:
They are all quite good explained - again - on the OWASP site: owasp.org/index.php/OWASP_Secure_H...
@Jamie I think you did a great job on explaining all of this, thank you again.
Thanks Jamie for the mind-awakening post.
I have a question regarding a general security.
When you program, sometimes implementing with
O(n^2)orO(n log n)algorithm is justgood enoughcompared to a possible O(N) ones.Are there any absolutely minimum of security knowledge developers should know about that's good enough?
Imagine you want to steal a car. You case a street and check out each car, one by one. You look for any visible means entry, but you're also looking for any physical locks on the steering wheel, etc. You also need to know which models are easier to hot wire.
Now imagine that you have to park your car along a street where a lot of thefts have taken place. To ensure that your car isn't going to be picked out, you make sure that you have put any valuables away in the glove box or trunk locked your car; placed a physical lock on the steering wheel; engaged the imobiliser; armed your alarm; etc.
In security, you need to be looking for the ways that someone could break into your app. You want to find as many as possible and put things in place to stop others from exploiting them.
I would say that every web developer should know of the OWASP Top 10 security risks, at the very least. You could easily lose a day or two, doing a deep dive on the OWASP site (just like anyone could with TV Tropes) and still only scratch the surface.
How I understood was that, when hackers are looking for vulnerable sites and tend to attack those with lack of security measures.
And "a street where a lot of thefts have taken place" sounds like a popular commercial sites, where security need to be more tight.
And thanks mate for providing the absolutely minimum (OWASP list) one should know.
Great.
I love that one "When a breech or security issue happens, it'll be our butts on the line not those of the decision makers.".
That's true, but it is always very hard to make them responsible for what they asked.
And the one that is going to work days and nights to solve a security breach is always the engineers. Pretty rarely the decision maker.
Which is precisely why we should always speak up, and make our opinions known. It can be hard to do it, but it's our job to make sure that these things are covered. No one else is going to bring it up, but us.
After all, we're the experts.
Hi Jamie,
Great post! I must admit I added an external script via js in a similar manner recently (it's not in production yet luckily, so granted I get some solid advice here, that'll definitely change). The reason behind that was that I wish to download the lib dynamically only on a certain spa route. How would you handle such a situation?
External scripts aren't really a big problem.
I would recommend that you have add it to your CSP, generate an SRI, and make sure that require SRI for is enabled in your CSP.
That way, if the external script ever changes then the browser won't even load it.
I found
observatory.mozilla.org/ helpful and cspisawesome.com/ as well.
Fantastic links Thomas. I really like CSP is Awesome it looks really helpful for setting up what is an incredibly complex thing.
For those who are doing .NET stuff, I know that Paul Seal's Security Headers tool can help to generate the
web.configsections, too.Many thanks for this post.
You're very welcome
This is an amazing article and a definite eye-opener for me.
Thank you for sharing Jamie. Appreciate the content.
Pavon
Great article. Thank you!
"4000 sites where hit with this attack."
*were
Doh! I always get that wrong.
Thanks, I'll amend the post