DEV Community

loading...
Cover image for Illustrated Notes on Web Security Essentials
egghead.io

Illustrated Notes on Web Security Essentials

maggieappleton profile image Maggie Appleton ・2 min read

Between IoT botnet attacks, Bitcoin ransomware, and the weekly cadence of high-profile data breaches, doing anything on the internet feels like playing Russian Roulette.

And that's just for normal people using it.

As a developer, you're partially responsible for protecting all those normal people from the horrors of whatever LulzSec are up to right now. The least you can do is make sure your website isn't an accessory to their nefarious activities.

So what does the current landscape of internet risk looks like. How, exactly, is LulzSec going to hack into my mainframe in 2020?

Here's my illustrated notes from Mike Sherov's egghead course on 'Web Security Essentials' that should give you a big picture overview of what to should look out for.

web-security-1

Turns out there's a small set of fairly well-known and easy to defend attacks that we can protect ourselves from:

  • Man in the Middle (MITM)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)

Shielding yourself from these three is a great starting point. It's at least enough to keep the script kiddies out.

web-security-2
web-security-6
web-security-7


web-security-3
web-security-4


web-security-5


Keeping out this trio of attacks will go a long way. Thankfully, you do not have to brave the black hat darkness alone.

Mike Sherov's course covers a whole range of ways to mitigate your risk and protect against them.

web-security-essentials-mitm-csrf-and-xss


👁‍🗨 If these are hard to read, you can download a free high-res PDF version on the course itself.
Dev.to limits image sizes a lot and it's hard to make it readable on here. Apologies!

Discussion

pic
Editor guide
Collapse
ricardo profile image
Ricardo Luz

These are fantastic tips, thanks for sharing this Maggie! build secure applications is especially hard in these days, I remember once I read an article that explained how it's possible to stole data using CSS since then I implemented a CSP in my website, and I keep an eye in the OWASP list as well, actually is almost impossible to keep the full security using external plugins etc.