Web security

HTTPS

HTTPS (Hypertext Transfer Protocol Secure) is an extension of HTTP (Hypertext Transfer Protocol). It uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security) to encrypt all communication between a client and a server.

Content Security Policy

Content Security Policy (CSP) is an added layer of security. A primary goal of CSP is to mitigate and report Cross Site Scripting (XSS) attacks. Cross-site scripting (XSS) is a security exploit that allows an attacker to inject into a website malicious client-side code. <meta> element can be used to configure a policy.

Example:

<meta http-equiv=”Content-Security-Policy” content=”default-src ‘self’; img-src https://*; child-src ‘none’;”>

CORS (cross-origin resource sharing)

A request for a resource (like an image or a font) outside of the origin is known as a cross-origin request.

Implementing the request headers to set up CORS correctly depends on the language and framework of the backend.

OWSAP Security risks

It is awareness documentation for developers and web application security. It represents the most critical security risks to web applications. The top 10 security risks are the following.

1. Injection

2. Broken Authentication

3. Sensitive Data Exposure

4. XML External Entities (XXE)

5. Broken Access Control

6. Security Misconfigurations

7. Cross-Site Scripting (XSS)

8. Insecure Deserialization

9. Using Components with known vulnerabilities

10. Insufficient logging and monitoring