While building applications regardless it is for web or for mobile, having a robust and unbreakable security is the priority. You can create ultra responsive user interfaces and highly optimized APIs but they are of no use if I’m able to manipulate your security firewalls, your tokens or your sessions.
With the birth of the internet, came the entity, known as hackers which throughout the evolution of web exploited a lot of applications. This article will go through some of the very common points that every developer must consider while building the web apps.
The article will follow the best practices for all types of server environments but the main focus will be on Apache. The configurations that we will discuss can be done either at the server level or at file level depends upon how much access do you have and what kind of process you follow in your working environment.
Let’s see what are the points that we are going to discuss in this article –
- Content security policy
- X-XSS protection
- Referrer policy
- X-Frames options
- X-Content Type options
- Serving secured cookies
- Removal of server signatures
- Restriction of HTTP methods
- Setting cache controls
- HTTP Strict transport security policy
HTTP Strict Transport Policy (HSTS)
When we need a secure communication channel we want that the content of messages to be encrypted and should only be read by an authenticated person. This problem can be solved by using HTTPs/SSL certificates. Yeah ?? No!
The HTTPs/SSL certificates can be easily manipulated by using the “Man in the middle attack”. If you are using an unsecured WIFI network the attacker can disable the SSL encryption. This attack is also known as SSL STRIP. In this attack, the attacker can disable the encryption and make the site look like it works on HTTP even if site strictly serves on HTTPS.
The Strict-Transport-Security header forces the browser to always serve site with encryption. If the browser sees an HSTSS header, it will always serve site over HTTPs.
To use it add this to your .htaccess file –
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;
The X-Frame options header can prevent click jacking attack on your site. In a click jacking attack
To use it, add this to your .htaccess file –
Header always append X-Frame-Options SAMEORIGIN
XSS is basically a client side security issue in which the attacker can inject and execute malicious code in the site. In the XSS attack, the attacker sends the malicious script. The client’s browser can not detect whether script can be trusted or not and it will execute the script. This script can access key information like cookies, local storage, session storage, sessions and much more. Insert the following command to enable the XSS protection.
Header always set X-XSS-Protection "1; mode=block"
X-Content type options
It prevents MIME attacks. It will instruct browsers not to sniff the content type and not to overwrite the content type information.
Header set X-Content-Type-Options nosniff
This header is used to prevent cross domain referrer attacks. This header allows which information should be included in the requests made. Insert following headers in the .htaccess to resolve the issue.
Header always set Referrer-Policy "no-referrer"
< meta name="referrer" content="no-referrer" / >
The cache control headers are use to specify the instructions for caching mechanism need to be implemented for both request and response.
Header set Cache-Control "no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires 0
Restriction of HTTP methods
Restricting HTTP headers provides extra hand of security. You should always enable only those methods which you are going to use in your application. You can restrict the methods by allowing only those which you want to use. You can do this by following command.
Header always set Access-Control-Allow-Methods "POST, GET, DELETE, PUT"
So these are some common practices we can adopt to avoid general security points. Implementing these points in your application doesn’t guarantee that your application is hack proof and no one can breach in but still following these practices can create a thick wall between your app and the intruders all around the world.