Web Application Security

From bibbleWiki
Revision as of 05:19, 4 July 2021 by Iwiseman (talk | contribs) (XSS and Storage)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Introduction

I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about

Resources

XSS and token storage
Express Article]
Securing Data in the Browser
Securing Data in the Browser 2
Avoiding XSS in React Apps
Avoiding XSS in Angular Apps

Current Approach

  • Use TLS
  • Implement Passport Strategy
  • Implement CSP
  • Implement Rate Limiting

Helmet

Helmet helps with

  • csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
  • hidePoweredBy removes the X-Powered-By header.
  • hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
  • ieNoOpen sets X-Download-Options for IE8+.
  • noCache sets Cache-Control and Pragma headers to disable client-side caching.
  • noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
  • frameguard sets the X-Frame-Options header to provide clickjacking protection.
  • xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers.

XSS and Storage

In the link above the overview was

Step 1: don’t worry too much about storage...
Step 2: review your application for XSS vulnerabilities. Avoiding XSS is insanely hard and requires a thorough code review. Lear about your templating framework and how to avoid XSS. Learn how to use context-sensitive output encoding and sanitization correctly. Go through every line of code to ensure you do not have XSS vulnerabilities...
Step 3: deploy a defense-in-depth mechanism against XSS. Modern browsers support a variety of security mechanisms that can help you lock down your application...

Chrome and SameSite

With recent versions of Chrome there is a feature called SameSite which prevents cookies being passed to between apps. For passport where the implementation is on nodeJS this meant changing the COOKIE_OPTIONS 

exports.COOKIE_OPTIONS = {
  httpOnly: true,
  // Since localhost is not having https protocol,
  // secure cookies do not work correctly (in postman)
  secure: !dev,
  signed: true,
  maxAge: eval(process.env.REFRESH_TOKEN_EXPIRY) * 1000,
  // sameSite: "none",
  sameSite: "lax",
};

Passport

Good example of using express with React and JwT/MongoDb

Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=Web_Application_Security&oldid=4997"