re: Three Steps For Increasing The Security of Your Web Apps VIEW POST

VIEW FULL DISCUSSION
 

Thank you for sharing this post! I really enjoy seeing people picking up this topic and sharing their ideas and thoughts.

You are bringing up CSP as a measure to prevent certain kinds of attacks, this is a very powerful but also a complex security feature. In my experience, if you do not start with a very strict CSP right from the beginning you will have a hard time adding it later to a production site without breaking anything.

I really like the way that Google explains all of it here:
developers.google.com/web/fundamen...
And the Owasp site is always a good starting point as well: owasp.org/index.php/Content_Securi...

There are a few more headers that already improve the basic security of any web app quite a bit and are easier, if not even trivial to implement.

The most important and notable ones are:

  • HTTP Strict Transport Security (HSTS)
  • X-Frame-Options
  • X-XSS-Protection
  • X-Content-Type-Options

They are all quite good explained - again - on the OWASP site: owasp.org/index.php/OWASP_Secure_H...

@Jamie I think you did a great job on explaining all of this, thank you again.

code of conduct - report abuse