Top 10 Web Securities
Hello my dear friends, hope you all are safe and sound in this pandemic situation.
I would like to thank all my readers who have reached this article for the first time and many thanks to those who have reached here once again.
Today we will discuss about Top 10 Web Securities we must have to implement in our website before going live.
1. Properly sanitize your input data
You need to take care of all of your inputs taken from users. It can be GET or POST you must have to sanitize it before using it. Similar to this pandemic situation, how we sanitize our hands before using it. As viruses can harm our body similarly if we do not properly sanitize our input data it can harm our application. There are different techniques in different technologies for sanitization. You need to check once and apply the same.
2.Never share session-id in the response body
You need to take care of your application's session id. It should not be passed by the response body. How dangerous it can be, let's see a use case. If you copy the session id of an admin user and paste it in the corresponding Cookie variable you can access any admin accounts and get all privileges. Not only session id, but you must also take care of any sensitive information that should not be passed through the response body.
3.Disable directory index
You must disable the directory index option before sharing your application to your users. An attacker can easily access your physical directories and their contents. It will be very easy for him to extract all important query logs and other information from your directory index. So it’s a must to disabled the directory index option.
In Apache Virtual Host: <Directory /var/www/public_html> Options -Indexes
Or, in the .htaccess file: Options -Indexes
4.Regenerate Session ID
You need to regenerate your session id and assign it immediately after a user authenticates to the application and make sure the Cookie value should be passed through the URL. By this it can be ensured before user authentication no one can gain access to Cookie.
Though it completely the application requirement but if possible avoid concurrent sign-in option especially for the privileged logins.
If your application sends emails to your users, just keep in mind that there must be some limit for the users on how many emails that user can send per day. Obviously, that is a call to discuss with your stakeholders but you as an application developer try to impose a limit on any situation where the application sends emails. Otherwise, it can flood the database if an attacker gains this access.
If your application uses an iframe or not you must have to set an X-FRAMES-OPTIONS response header and the value must be SAMEORIGIN or DENY to prevent framing options.
8.HTTPOnly Flag on session cookies
The session cookie must have an HttpOnly attribute set to prevent access of cookies via scripts. In php.ini, you can set session.cookie_httponly = True
9.Invalid Login Message
In login functionality whatever may be the reason, the login fails your message should always say ‘Invalid Credentials’ or ‘Invalid Username/Password’ or something like that by which it can not be determined which field is actually incorrect whether it is username or password. So that anybody can’t speculate on the fields and trying combinations to hit the login function.
10. Disable ServerSignature
To disable the server signature you need to set the below lines at the apache configuration file ServerSignature Off ServerTokens Prod
This is not the end, we will come back with more such important notes. Just keep reading our other articles.
Till then connect with us on Facebook, Twitter, Linked In, and other social channels.
Thank You Very Much...