7 easy security updates to make your web application more secure
IT Security have never been more important than now! The threat we face is constantly growing, and we must always be ready for any challenge presented.
Luckily there are a lot you can do to easily make your web application much more easy, when developing and implementing your security features.
Many will say it is obvious to do these things, but a lot of places these small features can be forgotten, and will make an unnecessary security risk. I will not be doing full depth information regarding each step, but it will give you information to proceed with.
1. Logout must remove session
When a user logs out, remember to remove that session, because else it can be used after logout by someone else. Most often the session will be filled with a ton of sensible data, you don't want others to reuse.
2. Unique SessionID
When a user engages in your page, it will be with a sessionId given from a non secure context, because it's a non validates user yet. When the user performs the login, this sessionId must be changed, else can other people get past login because they have your sessionId. Getting a non secure sessionId, can suddenly be granted access as a secure sessionId, which is wrong.
3. Password reset is unique
The links you use for resetting your password, must have an expiration date/time, and must only be allowed to be used one time. This way it cannot be used again, if someone gains access to your mail, and uses this link once more - because it has either expired, or is already used.
4. AntiForgeryToken
This is a easy way for ASP.NET developers to ensure their web application against Cross Site Request Forgery (CSRF). Basically it ensures the form that is being posted, have been generated by the same server, to prevent someone to post something they have created themselves.
5. Page variables as encoded strings
When presenting something on your page (often verification from input), make sure it is always strings, and encoded. This way a input script will end up being shown, instead of executed on the page.
6. X-Frame-options & response headers
The X-Frame-options response header can be used to indicate whether a browser should be allowed to render a page in a <frame> or <iframe> tag. This way you can ensure that nobody can be doing clickjacking attacks on your page and web application. Setting the X-Frame-options header for all responses containing HTML content will give your application an easy security upgrade.
7. Validating input characters
A crucial part of securing your web application, is validating the input you are getting from your insecure part from the user. They can inject javascript, or input data in either wrong format or with non valid characters that can result in an exception and possible leading them to information about how your web application works.
8. BONUS: Password fields
Browsers are getting smarter and smarter, helping the user in a higher degree than seen before, which means that they will save passwords even if they shouldn't. You could use type="password", or autocomplete="off", or autocomplete="new-password", but if you want to be sure the browser won't remember the inputted values, there is a simple solution. Generating a unique id/unique input names for the field for every request, prevents the browser to help the user, as it is not a name it have seen before, and therefore cannot present a list of previously used values. Another way can be to put a hidden password field right before the actual password field, and the browser will autocomplete this fake field. A last solution could be to use type="text", but the text will not be hidden like the password field, but luckily there is a simple solution for this.
input {
text-security:disc;
-webkit-text-security:disc;
-mox-text-security:disc;
}
Key points in security:
- Log out must remove session, else it can be reused after logout by someone else
- SessionID myst be changed when you log in, else can other people get past login, because they have your sessionID
- Links for resetting your password must have an ex piration date/time, and only can be used one time
- AntiForgeryToken
- Page variables must be encoded and be strings, so that scripts are shown, not executed
- X-Frame - options & response headers
- Input character validation
- If needed there is a way of disabling the browsers save autocomplete passwords