After BA Hack, We Need To Improve Web Security
How can it happen that 100,000s of thousands of people could have had their credit card details breached? The word is that was due a compromise in the Web/App code. This should not happen at this scale. Recently the Web pages for the ICO was found to be running crypto mining software, as a third party JavaScript script application had been breached.
So how does a company overcome the risk of cross-site scripting or certificate hi-jacking on your Web sites? … Implement CSP and X-headers. Luckily Scott Helme provides a web site which scans for CSP and X-headers, and ba.com gets a D grade:
Improving Web security
Overall the Web focuses on a same-origin policy, where the script contained in one origin is only permitted to access data within that origin, and thus each origin is isolated from others. Unfortunately, this overly restricts developers, along with attackers using clear tricks to inject malicious code from other domains. Many media sites often, too, use content and scripts from other sites and would struggle to support content which restricted them to their own site.