test

Security options for web applications

What are web applications?

Your website will very likely feature a number of so-called web applications. It’s software, normally accessible with any browser, through which a visitor can interact with the information on your website. Examples of a web application are online forms, shopping carts, file scanning, but also web-based email such as gmail, yahoo and hotmail; social media platforms and most content management systems.

What’s the security issue with web applications?

Because web applications are dynamic and interactive, they’re susceptible to misuse in the form of manipulation of data, unauthorised access or stealing of personal data. Common web application security issues include: - Cross-site scripting; an attack whereby malicious scripts are injected into otherwise benign and trusted websites (see: OWASP) - Clickjacking; an attack whereby a visitor is tricked to click a button or link to another malicious page (see: OWASP) - Man-in-the-middle or Man-in-the-browser attacks; a situation whereby connections between website and visitor are intercepted and manipulated (see: OWASP) - Session hijacking; a situation whereby the attacker gains auanithrosied access to the web server by stealing a legit session token. (see: OWASP)

What’s the solution?

To reduce the consequences of misuse of these web applications, websites should be configured with so-called HTTP response headers. These HTTP headers provide a response to the browser telling it what to do and what not to do. websecoptions screenshot

What can you do?

To set up appropriate HTTP response headers for your website, you need some assistance from your web hosting provider.

.auCheck recommend including the following headers:

X-frame-options

The x-frame-options HTTP response header can be used to avoid clickjacking and website content being embedded into other websites. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

X-content-type-options

The x-content-type-options HTTP response header is a marker that indicates server to only follow content types that are pre-specified and don’t make any changes. This reduces the risk of MIME-type content sniffing. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options

Content-security-policy

The content-security-policy HTTP response header allows website administrators to control what a visitor is allowed to load. Policies mostly involve server origins and script endpoints. This helps prevent against cross-site-scripting attacks. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Referrer-policy

The referrer-policy HTTP response header controls how much information is passed from the user’s browser. This information could include their past browser history and personal data. A strict referrer policy helps you to prevent data from your users being unnecessary exposed. Technical details for developers can be found from Mozilla. https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns

Further technical specifications

Guidance from the Australian government on protecting web applications and users can be found here

Test a website

Modern address? Signed domain? Secure connection? Security options?

Test an email

Modern address? Signed domain? Anti-phishing? Secure connection?

Test your connection

Are modern Internet addresses reachable?
Are domain secure signatures valid?

Test a CMS

Known vulnerabilities?
.auCheck is an initiative of
ASPI logo AUDA logo
acknowledgement of country
.auCheck and partners acknowledge the Traditional Custodians of the land on which we operate, live and gather, and recognize their continuing connection to land, water and community. We pay respect to Elders past, present and emerging.