Web App Security

Being a Full Stack Developer is enormously rewarding and gives us a lot to think. We keep thinking about the speed of the website, improvements in the UX and most of the times about the security of website. Your website is your brand, your storefront, and often your first contact with customers. If it’s not safe and secure, those critical business relationships can be compromised. The threats can come in many forms — infecting a website with malware in order to spread that malware to site visitors, stealing customer information, like names and email addresses, stealing credit card and other transaction information, adding the website to a botnet of infected sites, and even hijacking or crashing the site.

In 2016–17, there were over 4.2billion Personal Data Records compromised and leaked. There were 94 reported incidents that exposed each; at least one million records — and 37 incidents exposing ten million or more records. Compared with 2015, this marks an increase of 63% and 105%, respectively.

This data comes from ‘Risk Based Security’s end of year 2016 report ’.

Let’s jump in and take a look at some important security vulnerabilities and best practices to avoid them:

HTTPS vs HTTP

HTTPS also called HTTP over Transport Layer Security (TLS) provides authentication of the website and associated web server with which one is communicating, which protects against man-in-the-middle attacks.

In the early days, buying a certificate from a Certificate Authority meant spending hundreds of Dollars, and a complex setup process. Now, certificates are not only much easier to setup, but also much cheaper — i.e. free of charge.

A couple of years back, a service called Let’s Encrypt launched to become a new Certificate Authority, issuing secure SSL/TLS certificates, free of charge. Let’s Encrypt is part of the Linux Foundation, and backed by super-companies such as Google, Facebook, Cisco and Mozilla.

Cross Site Scripting and Forgery Protection

XSS attacks allow a user to inject client side scripts into the browsers of other users. This is usually achieved by storing the malicious scripts in the database where it will be retrieved and displayed to other users, or by getting users to click a link which will cause the attacker’s JavaScript to be executed by the user’s browser whereas CSRF attacks allow a malicious user to execute actions using the credentials of another user without that user’s knowledge or consent.

For example if you use Django, Django templates escape specific characters which are particularly dangerous to HTML. While this protects users from most malicious input, it is not entirely foolproof.

Django has built-in protection against most types of CSRF attacks, providing you have enabled and used it where appropriate.

When deployed with HTTPS, CsrfViewMiddleware will check that the HTTP referer header is set to a URL on the same origin (including subdomain and port). Because HTTPS provides additional security, it is imperative to ensure connections use HTTPS where it is available by forwarding insecure connection requests and using HSTS for supported browsers.

SQL injection protection

SQL injection is a type of attack where a malicious user is able to execute arbitrary SQL code on a database. This can result in records being deleted or data leakage.

By using Django’s querysets, the resulting SQL will be properly escaped by the underlying database driver. However, Django also gives developers power to write raw queries or execute custom sql.

Logging & Log Analysis

Log analysis provides insight in to the security threats and traffic behaviour.

In depth analysis of the security logs provides critical network intelligence about attempts to breach security and attacks like virus, trojan, denial of service, etc. These network security threats pose a grave risk to the critical resources in the network. From the security log reports of firewall analysis, you will be able to visualise network threat scenario and plan their strategy to protect from those threats.

Conclusion

My intention with this article is to keep it simple with a focus on the basics. Keeping your website safe is not only important for yourself, but also for your clients. Just make sure to leave some time open for security to protect all that hard work you’ve invested! Do you have any other ideas on how to secure a web site? Do you have any interesting stories to tell? Leave a comment below and join the conversation.