Web Application Security: Difference between revisions
Jump to navigation
Jump to search
Created page with "=Introduction= I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about =Resources=..." |
No edit summary |
||
| Line 2: | Line 2: | ||
I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about | I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about | ||
=Resources= | =Resources= | ||
[[https://expressjs.com/en/advanced/best-practice-security.html Express Article]] | [https://pragmaticwebsecurity.com/articles/oauthoidc/localstorage-xss.htm XSS and token storage] | ||
[https://expressjs.com/en/advanced/best-practice-security.html Express Article]] | |||
=Current Approach= | =Current Approach= | ||
*Helmet | *Use TLS | ||
*Implement Passport Strategy | |||
*Implement CSP | |||
*Implement Rate Limiting | |||
=Helmet= | |||
Helmet helps with | |||
*csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections. | |||
*hidePoweredBy removes the X-Powered-By header. | |||
*hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server. | |||
*ieNoOpen sets X-Download-Options for IE8+. | |||
*noCache sets Cache-Control and Pragma headers to disable client-side caching. | |||
*noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type. | |||
*frameguard sets the X-Frame-Options header to provide clickjacking protection. | |||
*xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers. | |||
Revision as of 01:44, 30 June 2021
Introduction
I wanted to create a page to make sure I am always covering issues with security. Some I would know off hand but useful for others when asked about
Resources
XSS and token storage Express Article]
Current Approach
- Use TLS
- Implement Passport Strategy
- Implement CSP
- Implement Rate Limiting
Helmet
Helmet helps with
- csp sets the Content-Security-Policy header to help prevent cross-site scripting attacks and other cross-site injections.
- hidePoweredBy removes the X-Powered-By header.
- hsts sets Strict-Transport-Security header that enforces secure (HTTP over SSL/TLS) connections to the server.
- ieNoOpen sets X-Download-Options for IE8+.
- noCache sets Cache-Control and Pragma headers to disable client-side caching.
- noSniff sets X-Content-Type-Options to prevent browsers from MIME-sniffing a response away from the declared content-type.
- frameguard sets the X-Frame-Options header to provide clickjacking protection.
- xssFilter sets X-XSS-Protection to disable the buggy Cross-site scripting (XSS) filter in web browsers.