Security options for web applications
What are web applications?
Your website will very likely feature a number of so-called web applications. It’s software, normally accessible with any browser, through which a visitor can interact with the information on your website. Examples of a web application are online forms, shopping carts, file scanning, but also web-based email such as gmail, yahoo and hotmail; social media platforms and most content management systems.
What’s the security issue with web applications?
Because web applications are dynamic and interactive, they’re susceptible to misuse in the form of manipulation of data, unauthorised access or stealing of personal data. Common web application security issues include: - Cross-site scripting; an attack whereby malicious scripts are injected into otherwise benign and trusted websites (see: OWASP) - Clickjacking; an attack whereby a visitor is tricked to click a button or link to another malicious page (see: OWASP) - Man-in-the-middle or Man-in-the-browser attacks; a situation whereby connections between website and visitor are intercepted and manipulated (see: OWASP) - Session hijacking; a situation whereby the attacker gains auanithrosied access to the web server by stealing a legit session token. (see: OWASP)
What’s the solution?
To reduce the consequences of misuse of these web applications, websites should be configured with so-called HTTP response headers. These HTTP headers provide a response to the browser telling it what to do and what not to do.
What can you do?
To set up appropriate HTTP response headers for your website, you need some assistance from your web hosting provider.
.auCheck recommend including the following headers:
The x-frame-options HTTP response header can be used to avoid clickjacking and website content being embedded into other websites. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
The x-content-type-options HTTP response header is a marker that indicates server to only follow content types that are pre-specified and don’t make any changes. This reduces the risk of MIME-type content sniffing. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
The content-security-policy HTTP response header allows website administrators to control what a visitor is allowed to load. Policies mostly involve server origins and script endpoints. This helps prevent against cross-site-scripting attacks. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
The referrer-policy HTTP response header controls how much information is passed from the user’s browser. This information could include their past browser history and personal data. A strict referrer policy helps you to prevent data from your users being unnecessary exposed. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns
Further technical specifications
Guidance from the Australian government on protecting web applications and users can be found here
- Encryption & authenticity of web server
- Encryption & authenticity of email
- Protection against email phishing
- Security of website applications
- Security of domain name (DNSSEC)
- Adoption of Internet Protocol v6