Web Security 01 — Prepare
1. Intro
In this series, I will talk about the web security problems and how to prevent them. Security is becoming more and more important, especially in a world where all users are surfing the internet, and a world any programmer can expose a service easily. It seems that many websites we visit, many services we use, are not that secure enough. But since we enjoy the free services, sometimes we think the sacrifice a little privacy and insecure is acceptable. A quite strange era.
However, whether those services are safe or not, when we ourselves provide a service to our customer, free or commercial, I think we should always try to protect clients’ information, and try to guarantee a safe digital world to them. Maybe it will costs many time, but it worths.
- Web Security 01 — Prepare
- Web Security 02 — Referrer
- Web Security 03 — X Powered By / Server
- Web Security 05 — X-Frame-Options
- Web Security 06 — CSP (Content Security Policy)
- Web Security 07 — XSS Protection
- Web Security 08 — Sniff
- Web Security 10 — CSRF
- Web Security 11 — CORS
- Web Security 12 — SQL Injection
2. Prepare a demo environment
In order to provide some examples, I will assume that I provide some services to my customer. Here is the situation, we will create a blog system, and there is a point sub-system in it. Every registered user will have 200 points. And if he or she publishes blogs and makes comments, additional points will be rewarded.
And those points can be transferred to other users. So let’s use Express to hold such a website. To make the example simple enough, we won’t use any database here. All we need to do is to store user information in a JSON file. By default, there are 2 users: user01/user01
Four main services are provided:
- register
/api/addUser(Assume only admin can call it) - login
/api/login - get points
/api/getPoints - transfer points
/api/transferPoints(through get method)
UI is based on pure HTML and simple jQuery whereas backend is based on Nodejs powered by Express.js .
Here is the result:
Now our preparation has been done!
For detailed code: (https://github.com/brianshen1990/WebSecurity/tree/Prepare)
Backend:
Frontend HTML:
Frontend JS:
What is this place? Fredericton High School, Fredericton, NB, Canada.
