Security Best Practices in Web Development

Input/Output Handling

• Validate All User Inputs: Ensure that input data conforms to specified formats, preventing injection attacks.
• Encode/Escape Outputs: Safeguard against Cross-Site Scripting (XSS) by converting special characters to HTML entities.
• Sanitize HTML Content: Remove potentially harmful elements or attributes from HTML input to protect from XSS vulnerabilities.
• Use Parameterized Queries: Prevent SQL injection attacks by using parameterized statements that treat input as data rather than executable code.

Session Management

• Use Secure, HttpOnly Cookies: Ensure cookies are transmitted over HTTPS only and are inaccessible to JavaScript, protecting against cookie theft.
• Implement Proper Session Timeouts: Automatically log out users after a period of inactivity to minimize the risk of unauthorized access.
• Regenerate Session IDs After Login: Mitigate session fixation attacks by generating a new session ID upon successful authentication.
• Use SameSite Cookie Attribute: Restrict how cookies are sent with requests from external sites, providing some CSRF protection.

Authentication

• Implement Multi-Factor Authentication (MFA): Increase security by requiring multiple forms of verification before granting access.
• Use Strong Password Policies: Enforce complexity rules and periodic changes to reduce the risk of compromised credentials.
• Secure Password Reset Flows: Protect the password recovery process from unauthorized access or social engineering attacks.

Request Handling

• Implement CSRF Protections: Use anti-CSRF tokens to ensure that requests made on behalf of users are legitimate.
• Use Content Security Policy (CSP): Define which resources can be loaded on the page, reducing XSS risk by default.
• Apply Proper Access Controls: Ensure users have the right permissions for the resources they access.
• Validate Request Origins: Confirm that requests come from valid sources to prevent spoofed requests.

Final Review Questions

• What Components Define an Origin in the Same-Origin Policy?

  • Protocol
  • Domain
  • Port

• What is the Relationship Between the DOM, HTML, and JavaScript?

  • HTML defines the static structure of the web page.
  • The DOM is a tree-like representation of the HTML generated by the browser.
  • JavaScript modifies the DOM to update the webpage without requiring a reload.

• What Happens When You Clear Cookies While Logged In?

  • Server-side sessions may remain until they expire; however, the client must reauthenticate if the session is terminated.

Comparing XSS and CSRF

• XSS: Injects malicious scripts into a trusted site.

  • Effects: Steals sessions, defaces sites, and performs phishing.
  • Exploits: User trust in a site.

• CSRF: Tricks users into submitting forged requests.

  • Effects: Executes unauthorized actions such as fund transfers.
  • Exploits: Site trust in the user's browser.

Common Ports for HTTP and HTTPS

• HTTP: Port 80
• HTTPS: Port 443

HTTP Protocol Functionality

• Primary Function: Facilitates client-server communication via request-response cycles.

Importance of Encoding User Inputs

• Purpose: Neutralizes malicious characters, preventing them from being interpreted as executable code.