Web Application Security: Difference between revisions
Jump to navigation
Jump to search
| Line 7: | Line 7: | ||
<br> | <br> | ||
[https://browsersecrets.restograde.com/ Securing Data in the Browser] | [https://browsersecrets.restograde.com/ Securing Data in the Browser] | ||
<br> | |||
[https://pragmaticwebsecurity.com/files/cheatsheets/browsersecrets.pdf Securing Data in the Browser 2] | [https://pragmaticwebsecurity.com/files/cheatsheets/browsersecrets.pdf Securing Data in the Browser 2] | ||
<br> | <br> | ||
Revision as of 02:00, 30 June 2021
Introduction
I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about
Resources
XSS and token storage
Express Article]
Securing Data in the Browser
Securing Data in the Browser 2
Avoiding XSS in React Apps
Avoiding XSS in Angular Apps
Current Approach
- Use TLS
- Implement Passport Strategy
- Implement CSP
- Implement Rate Limiting
Helmet
Helmet helps with
- csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
- hidePoweredBy removes the X-Powered-By header.
- hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
- ieNoOpen sets X-Download-Options for IE8+.
- noCache sets Cache-Control and Pragma headers to disable client-side caching.
- noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
- frameguard sets the X-Frame-Options header to provide clickjacking protection.
- xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers.