Security Best Practices for Web Applications

Introduction

Security is one of the important areas, we should consider while developing web applications. In real time, there are lot of security related vulnerabilities. Here we can discuss about steps which we need to take to avoid these security related vulnerabilities while developing web applications.

Below are the topics will be covered under this blog.

  • Content Security Policy
  • Strict Transport Security
  • X-XSS-Protection
  • X-Content-Type-Options
  • X-Frame-Options

Let see one by one in detailed.

Content Security Policy

This is the one of the important security rule which will be send via HTTP header. This policy will allow the browsers only to load the content from allowed sources. Other than allowed sources content, all other contents will be denied. This policy helps to prevent the Cross-Site Scripting (XSS) attacks and other code injections attacks. If we couldn’t add this HTTP header, browser will allow load all the scripts, CSS, contents on your web application.

How to Apply Content Security Policy?

Here, we have spoken about add HTTP Header in IIS. Open IIS manager, and go to HTTP Response header.

Add the HTTP Header Name as “Content-Security-Policy” and Value as default-src ‘self’

You can also add the header inside the webconfig file inside the .

<httpProtocol>
<customHeaders>
            <add name="Content-Security-Policy" value=" default-src ‘self’” />
</customHeaders>
</httpProtocol>

There are more number of parameters you can apply in Content Security Policy Header. You can learn about all the available parameter using OWASP.

Some Examples

SyntaxPurpose
Content-Security-Policy: default-src ‘self’The default-src parameter set to self. So, it will load all the resources from the current domain.
Content-Security-Policy: default-src ‘self’ *.domain.comThe default-src parameter set to self. So, it will load all the resources from the current domain and given subdomain.
Content-Security-Policy: default-src httpsThe default-src parameter set to https. So, it will load all the resources from any domain only with https URL.
Content-Security-Policy: script-src ‘self’ *.domain.comThe script-src parameter set to self. So, it will load all the script resources from the current domain and given subdomain.
Content-Security-Policy: script-src ‘self’ ‘unsafe-inline’ *.domain.comSame as above, additionally ‘unsafe-inline’ – this denotes, all the scripts written inline will loaded. If this property is not set, the page blocks all the inline scripts in the page.
Content-Security-Policy: upgrade-insecure-requests;This will automatically convert all the HTTP requests in the web page to HTTPS requests, If the resources are not available in HTTPS, then it will be failed to load. This rule allows us not to manually change each HTTP requests to HTTPS.
Content-Security-Policy: block-all-mixed-content;This will prevent any content loading from HTTP if the site is rendering in HTTPS. If upgrade-insecure-requests directive is set before this one, then this will do no operation on it.

Strict Transport Security (HSTS)

HSTS – HTTP Strict Transport Security

This HTTP Header will allow the website to be accessed using only HTTPS requests and prevent HTTP requests. You must ensure your website’s all the pages are accessible over HTTPS, before proceeding to apply this rule. Else pages with HTTP requests will be broken. This header has been supported in all major latest version browsers like Firefox, Chrome, IE, Opera and Safari.

How to Apply Strict Transport Security Header?

Here I have spoken about add HTTP Header in IIS. Open IIS manager, and go to HTTP Response header.

Add the HTTP Header Name as “Strict-Transport-Security” and Value as “max-age=31536000; includeSubDomains; preload

ParameterPurpose
max-age=expire-timeWe can set the time in seconds; the browser will remember the site only can be accessed through HTTPS.
includeSubDomainsThis is optional one. If this one set, this rule will be applied to all the subdomains too.
preloadThis is optional one. You can include your site to HTPS preload list

You can also add the header inside the webconfig file inside the <system.webServer>.

<httpProtocol>
<customHeaders>
       <add name="Strict-Transport-Security" value="max-age=31536000; includeSubDomains; preload" /> 
</customHeaders>
</httpProtocol>

X-XSS-Protection

This HTTP Header can prevent the Cross-Site Scripting attacks by preventing the page from loading. The modern browser by default will automatically detects this kind of attacks and prevent the page from loading. This rule will be useful for old browsers, which does not support Content-Security-Policy.

How to Apply X-XSS-Protection Header?

Here we have spoken about add HTTP Header in IIS. Open IIS manager, and go to HTTP Response header.

Add the HTTP Header Name as “X-XSS-Protection” and Value as 1; mode=block

ParameterPurpose
0XSS rule disabled.
1XSS rule enabled and page will be sanitized if attack detected.
1; mode=blockXSS rule enabled and page will be prevented to render if attack detected.

You can also add the header inside the webconfig file inside the <system.webServer>.

<httpProtocol>
<customHeaders>
            <add name="X-XSS-Protection" value="1; mode=block" />
</customHeaders>
</httpProtocol>

X-Content-Type-Options

This HTTP header rule prevent the risk of MIME-sniffing attacks. This rule blocks the sniffing of the resources loaded in the page.

Example:

 

  • Here script will be blocked from loading since it has different content type as “text/css” instead of “text/javascript”.

This type of sniffing is more commonly done with the images, which will contain a piece of JavaScript code in it but will be rendered as image.

How to Apply X-Content-Type-Options Header?

Here we have spoken about add HTTP Header in IIS. Open IIS manager, and go to HTTP Response header.

Add the HTTP Header Name as “X-Content-Type-Options” and Value as “nosniff”

You can also add the header inside the webconfig file inside the <system.webServer>.

<httpProtocol>
<customHeaders>
            <add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>

X-Frame-Options

This HTTP header rule prevent the risk of Clickjacking in your site. If you set this header, you instruct the browser not to render your website in iframe.

How to Apply X-Frame-Options Header?

Here I have spoken about add HTTP Header in IIS. Open IIS manager, and go to HTTP Response header.

Add the HTTP Header Name as “X-Frame-Options” and Value as “DENY”

ParameterPurpose
SAMEORIGINAllow the iframe only from the same domain.
ALLOW-FROMAllow the iframe only from given URL.
DENYDeny any domain to render your webpage in iframe.

You can also add the header inside the webconfig file inside the <system.webServer>.

<httpProtocol>
<customHeaders>
            <add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>

Summary

The security related things which mentioned above will reduce your website vulnerability, blocking potential threats and helps you to build secure web applications.  There are things other than above discussed. Once you done all above things in your web applications, and you couldn’t say your site is 100 percent secure. You need to keep your security system up to date.

Advertisements

Leave a Reply