Web Application Security

From bibbleWiki
Jump to navigation Jump to search

Introduction

I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about

Resources

XSS and token storage
Express Article]

Current Approach

  • Use TLS
  • Implement Passport Strategy
  • Implement CSP
  • Implement Rate Limiting

Helmet

Helmet helps with

  • csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
  • hidePoweredBy removes the X-Powered-By header.
  • hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
  • ieNoOpen sets X-Download-Options for IE8+.
  • noCache sets Cache-Control and Pragma headers to disable client-side caching.
  • noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
  • frameguard sets the X-Frame-Options header to provide clickjacking protection.
  • xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers.
Retrieved from "https://www.bibble.co.nz/mediawiki/index.php?title=Web_Application_Security&oldid=4972"