Web Application Security: Difference between revisions
Jump to navigation
Jump to search
| Line 5: | Line 5: | ||
<br> | <br> | ||
[https://expressjs.com/en/advanced/best-practice-security.html Express Article]] | [https://expressjs.com/en/advanced/best-practice-security.html Express Article]] | ||
<br> | |||
[https://browsersecrets.restograde.com/ Securing Data in the Browser] | |||
=Current Approach= | =Current Approach= | ||
Revision as of 01:47, 30 June 2021
Introduction
I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about
Resources
XSS and token storage
Express Article]
Securing Data in the Browser
Current Approach
- Use TLS
- Implement Passport Strategy
- Implement CSP
- Implement Rate Limiting
Helmet
Helmet helps with
- csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
- hidePoweredBy removes the X-Powered-By header.
- hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
- ieNoOpen sets X-Download-Options for IE8+.
- noCache sets Cache-Control and Pragma headers to disable client-side caching.
- noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
- frameguard sets the X-Frame-Options header to provide clickjacking protection.
- xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers.