|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Web Security Basics |
| 4 | +--- |
| 5 | + |
| 6 | +At Gradeup, we organize weekly engineering sessions, where in our whole engineering team shares their experiences, rants about some technology or having a knowledge session over some topic. |
| 7 | + |
| 8 | +This week, the topic for our session was __Web Security Basics__ being organized by Prashant Chaudhary [@pc9](https://github.com/pc9). |
| 9 | + |
| 10 | +A brief summary of the talk is as follows |
| 11 | + |
| 12 | +## Security |
| 13 | + |
| 14 | +> Security - the elephant in the room |
| 15 | +> |
| 16 | +> --- Rising Stack Blog [Nodejs Security Checklist](https://blog.risingstack.com/node-js-security-checklist/) |
| 17 | +
|
| 18 | +### Security HTTP Headers |
| 19 | + |
| 20 | +There are a few security related HTTP headers, that we should set on a web application. |
| 21 | + |
| 22 | +##### Strict-Transport-Security |
| 23 | + |
| 24 | +It is a response header, abbreviated as HSTS, which tells the browser to communicate over HTTPS connections with the web server instead of using insecure HTTP connections. |
| 25 | + |
| 26 | +##### X-Frame-Options |
| 27 | + |
| 28 | +It is a response header, set by the domain from which the resource is being requested, which indicates the browser whether or not to render a web page in a frame, iframe or object. This helps in avoiding clickjacking attacks. |
| 29 | + |
| 30 | +##### X-XSS-Protection |
| 31 | + |
| 32 | +It is a feature of browser that stops websites from loading if they detect some cross side scripting attacks(XSS). |
| 33 | + |
| 34 | +##### X-Content-Type-Options |
| 35 | + |
| 36 | +It is a response header which indicates to the browser to strictly adhere to the [MIME type](https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types) specified in the [Content-Type](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type) header. To achieve this behavior, it is set to `nosniff` like |
| 37 | + |
| 38 | +``` |
| 39 | +X-Content-Type-Options: nosniff |
| 40 | +``` |
| 41 | + |
| 42 | +It is used for reducing MIME type security risks and prevents the browser from doing MIME-type sniffing. |
| 43 | + |
| 44 | +##### Content-Security-Policy |
| 45 | + |
| 46 | +It is a response headers, which is used for defining policies from where resources like media content, images, etc. can be loaded |
| 47 | + |
| 48 | + |
| 49 | +### Web Security Attacks |
| 50 | + |
| 51 | +##### ClickJacking |
| 52 | + |
| 53 | +ClickJacking is a malicious technique which hijacks the clicks of a user on a website. It translates a user to click on to something malicious thereby sharing confidential information details he is not even aware of. The malicious code is generally hidden beneath legitimate buttons or other click-able content on a website. It is also known as User Interface redress attack. |
| 54 | + |
| 55 | +The most common way to prevent this attack is by setting `X-Frame-Options` or `Content-Security-Policy` headers |
| 56 | + |
| 57 | +##### Cross Side Scripting (XSS) |
| 58 | + |
| 59 | +This attack is meant to inject client side script code into web-pages, thus giving unauthorized access to attackers of user cookies, session tokens, or other sensitive information retained by the browser. |
| 60 | + |
| 61 | +It can be prevented by following: |
| 62 | + |
| 63 | +* Properly sanitizing and escaping data collected from user |
| 64 | + |
| 65 | +* Proper escaping html characters before displaying any sensitive data to user |
| 66 | + |
| 67 | +##### Cross Site Request Forgery (CSRF) Attack |
| 68 | + |
| 69 | +CSRF or XSRF is an attack which tricks a browser to perform an unwanted action in an application in a valid user session. It generally targets state changing requests. |
| 70 | + |
| 71 | +It can be prevented by using the following: |
| 72 | + |
| 73 | +* CSRF tokens, which are web server generated tokens unique to every session and every request. |
| 74 | + |
| 75 | +* Same site cookies, cookies which are secure, HTTP only and sent to the same site. |
| 76 | + |
| 77 | +##### Distributed Denial of Service (DDOS) Attack |
| 78 | + |
| 79 | +A DDOS attack is an attempt to make a web application unavailable by overloading it with traffic from multiple comprised sources. The incoming traffic flooding the victim originates from many different sources, thereby making it difficult to stop the attack simply by blocking the IP. Moreover it is difficult to distinguish between the genuine and attack traffic. |
| 80 | + |
| 81 | +It can be prevented by using a Third Party Provider DNS or System Hardening. |
| 82 | + |
| 83 | +##### References |
| 84 | + |
| 85 | +[MDN](https://developer.mozilla.org/en-US/) |
| 86 | + |
| 87 | +[OWASP](https://www.owasp.org/index.php/Main_Page) |
| 88 | + |
| 89 | +[Stack Overflow](https://stackoverflow.com) |
| 90 | + |
| 91 | +[Wikipedia](https://en.wikipedia.org) |
0 commit comments