ITEC 100 - WEEK 12

is an online security system that will control employee internet usage, prevent web-based threats, and limit access to dangerous websites.

Web security

These days, web security is crucial. Websites are always

vulnerable to security concerns and threats. As an example, your

online security is the protection of data as it is being transferred

between a client and a server.

Importance of Web Security

Attackers insert malicious queries into forms

SQL Injection

Injecting scripts into webpages

Cross-Site Scripting (XSS)

Forcing actions on authenticated users

Cross-Site Request Forgery (CSRF)

Tricking users to give credentials

Phishing and Social Engineering

Overwhelming the server by excessive traffic

Denial of Service (DoS)

Intercepting communications

Man-in-the-Middle Attacks

Verifies the identity of a user

or system, typically through login

credentials like usernames,

passwords, or multi-factor

authentication methods.

Authentication

Determines what authenticated

users are allowed to do—such as

accessing specific pages,

performing transactions, or

managing settings—based on

their roles or permissions.

Authorization

The practice of securing user

and system data from

unauthorized access,

modification, or breaches, often

using encryption, access control,

and secure storage practices.

Data Protection

A security principle ensuring

that a user or entity cannot deny

having performed a specific

action, supported by digital

signatures, secure logs, or

transaction records.

Nonrepudiation

(Prevent Web Server Bugs).

Refers to securing the server infrastructure by applying updates, disabling unused services, and configuring servers to reduce vulnerabilities and prevent exploitation.

Secure the Web Environment

(Prevent XSS and Injection Attacks).

Involves checking and sanitizing input fields to block malicious code that could exploit vulnerabilities like cross-site scripting (XSS) or SQL injection.

Validate User Input

Limiting or carefully evaluating

the use of external JavaScript or

stylesheets to prevent attackers

from injecting harmful content

through trusted-looking sources.

Avoid Third-Party Scripts and CSS

(Protect Data, Prevent Mixed Content Bugs)

Applying secure protocols like

HTTPS to encrypt data in transit,

ensuring confidentiality and

preventing attackers from

exploiting mixed content

vulnerabilities.

Use Encryption

Selecting appropriate and

secure methods of user

verification (e.g., OAuth,

biometrics, MFA) based on the

application's sensitivity and user

roles.

Use the Right Authentication

Ensures that only valid and

intended requests are executed

by checking for tokens, referrer

headers, or user sessions to

prevent cross-site request

forgery (CSRF) or script inclusion

attacks (XSSI).

Authorize Requests

A browser feature that helps protect against

XSS and data injection by controlling which

sources are allowed to load content like scripts,

styles, and images.

Content Security Policy (CSP)

filter and sanitize all user input

Input Validation

Implement MFA, strong password policies

Secure Authentication

secure tokens, session timeouts

Session Management

fix vulnerabilities quickly

Regular Updates and Patching

protect data in transit

HTTPS and Encryption

detect and block threats

Web Application Firewall (WAF)

conduct SAST, DAST, penetration testing

Security Testing