DEV Community

Cover image for Three Steps For Increasing The Security of Your Web Apps

Three Steps For Increasing The Security of Your Web Apps

Jamie on September 13, 2018

I recently shared the following QR code with my work's Slack group: Pro tip: never just scan a random QR code without checking it with a service...
Collapse
 
pxlpnk profile image
Andreas Tiefenthaler

Thank you for sharing this post! I really enjoy seeing people picking up this topic and sharing their ideas and thoughts.

You are bringing up CSP as a measure to prevent certain kinds of attacks, this is a very powerful but also a complex security feature. In my experience, if you do not start with a very strict CSP right from the beginning you will have a hard time adding it later to a production site without breaking anything.

I really like the way that Google explains all of it here:
developers.google.com/web/fundamen...
And the Owasp site is always a good starting point as well: owasp.org/index.php/Content_Securi...

There are a few more headers that already improve the basic security of any web app quite a bit and are easier, if not even trivial to implement.

The most important and notable ones are:

  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options

They are all quite good explained - again - on the OWASP site: owasp.org/index.php/OWASP_Secure_H...

@Jamie I think you did a great job on explaining all of this, thank you again.

Collapse
 
dance2die profile image
Sung M. Kim

Thanks Jamie for the mind-awakening post.

I have a question regarding a general security.

When you program, sometimes implementing with O(n^2) or O(n log n) algorithm is just good enough compared to a possible O(N) ones.

Are there any absolutely minimum of security knowledge developers should know about that's good enough?

Collapse
 
dotnetcoreblog profile image
Jamie

Imagine you want to steal a car. You case a street and check out each car, one by one. You look for any visible means entry, but you're also looking for any physical locks on the steering wheel, etc. You also need to know which models are easier to hot wire.

Now imagine that you have to park your car along a street where a lot of thefts have taken place. To ensure that your car isn't going to be picked out, you make sure that you have put any valuables away in the glove box or trunk locked your car; placed a physical lock on the steering wheel; engaged the imobiliser; armed your alarm; etc.

In security, you need to be looking for the ways that someone could break into your app. You want to find as many as possible and put things in place to stop others from exploiting them.

I would say that every web developer should know of the OWASP Top 10 security risks, at the very least. You could easily lose a day or two, doing a deep dive on the OWASP site (just like anyone could with TV Tropes) and still only scratch the surface.

Collapse
 
dance2die profile image
Sung M. Kim

How I understood was that, when hackers are looking for vulnerable sites and tend to attack those with lack of security measures.

And "a street where a lot of thefts have taken place" sounds like a popular commercial sites, where security need to be more tight.

And thanks mate for providing the absolutely minimum (OWASP list) one should know.

Collapse
 
shostarsson profile image
Rémi Lavedrine

Great.
I love that one "When a breech or security issue happens, it'll be our butts on the line not those of the decision makers.".
That's true, but it is always very hard to make them responsible for what they asked.
And the one that is going to work days and nights to solve a security breach is always the engineers. Pretty rarely the decision maker.

Collapse
 
dotnetcoreblog profile image
Jamie

but it is always very hard to make them responsible for what they asked.
And the one that is going to work days and nights to solve a security breach is always the engineers. Pretty rarely the decision maker.

Which is precisely why we should always speak up, and make our opinions known. It can be hard to do it, but it's our job to make sure that these things are covered. No one else is going to bring it up, but us.

After all, we're the experts.

Collapse
 
andreasvirkus profile image
ajv • Edited

Hi Jamie,

Great post! I must admit I added an external script via js in a similar manner recently (it's not in production yet luckily, so granted I get some solid advice here, that'll definitely change). The reason behind that was that I wish to download the lib dynamically only on a certain spa route. How would you handle such a situation?

Collapse
 
dotnetcoreblog profile image
Jamie

External scripts aren't really a big problem.

I would recommend that you have add it to your CSP, generate an SRI, and make sure that require SRI for is enabled in your CSP.

That way, if the external script ever changes then the browser won't even load it.

Collapse
 
thomasjunkos profile image
Thomas Junkツ

I found

observatory.mozilla.org/ helpful and cspisawesome.com/ as well.

Collapse
 
dotnetcoreblog profile image
Jamie

Fantastic links Thomas. I really like CSP is Awesome it looks really helpful for setting up what is an incredibly complex thing.

For those who are doing .NET stuff, I know that Paul Seal's Security Headers tool can help to generate the web.config sections, too.

Collapse
 
jmscavaleiro profile image
jmscavaleiro

Many thanks for this post.

Collapse
 
dotnetcoreblog profile image
Jamie

You're very welcome

Collapse
 
pavondunbar profile image
Pavon Dunbar

This is an amazing article and a definite eye-opener for me.

Thank you for sharing Jamie. Appreciate the content.

Pavon

Collapse
 
anduser96 profile image
Andrei Gatej

Great article. Thank you!

Collapse
 
mikedx profile image
Mike DX

"4000 sites where hit with this attack."

*were

Collapse
 
dotnetcoreblog profile image
Jamie

Doh! I always get that wrong.

Thanks, I'll amend the post