Web Application Security
The way to protect your online service
Web Application Security is one of the most important things today. It's constantly developing but the level of internet crimes is increasing, probably, way faster. So, at first, I want to tell you what's web application security in general. This is the protection process for online data storage against different security threats that exploit vulnerabilities in an application's code, unauthorized access. It's in common use for every data storage as an example. Besides, people have to be aware of the web application vulnerabilities, and how to protect their data, and avoid malicious traffic. Here in this list are some examples:

File inclusion and disclosure
• Don't take file names for inclusions from user input, only from trusted lists or constants;
• If user input is to be used, validate it against a whitelist. Checking if the file exists or if the input matches a certain format is not sufficient;
• Ensure the application runs with no more privileges than required.
• If you live and deliver files user-supplied file names, thoroughly validate the file names to avoid directory traversal and similar attacks and ensure the user is allowed to read the file.

File upload vulnerabilities
• Avoid unnecessary file uploads;
• Ensure that files uploaded by the user cannot be interpreted as script files by the web server, e.g. by checking the file extension (or whatever means your web server uses to identify script files);
• Prevent users from uploading problematic file types like HTML, CSS, JavaScript, XML, SVG, and executables using a whitelist of allowed file types;
• Consider delivering uploaded files with the "Content-disposition attachment" header.

SQL injection
• Use prepared statements to access the database – or – ;
• use stored procedures, accessed using appropriate language/library methods pr [reared statements;
• Always ensure DB login used by the application has only the rights that are needed

Cross-site scripting (XSS)
• Escape anything that is not a constant before it in response as close to the output as possible (i.e. right in the line containing the "echo" or "print" call);
• If not possible (e.g. when building a larger HTML block), escape when building and indicate the fact that the variable content is pre-escaped and the expected context in the name;
• This may mean that you need to escape for multiple contexts and/or multiple times. For example, when passing an HTML fragment as a JS constant for later inclusion in the document, you need to escape for JS string inside HTML when writing the constant to the JavaScript source, then escape again for HTML when your script writes the fragment to the document;
• Don't forget URLs in redirector scripts.

Special files
• Know the meaning of these files;
• Ensure robots.txt does not disclose "secret" paths
• Ensure crossdomain.xml and clientaccesspolicy.xml allow access from trusted domains only;
• Prevent users from uploading/changing special files;

Password security
• Don't store plain-text passwords, store only hashes;
• Use Argon2, scrypt, bcrypt, or some other secure hashing algorithm specifically designed for secure password "storage";
• Use per-user salts;
• Limit login attempts per IP (not per user account)
Web application firewall (WAF) filters, tracks and blocks HTTP-traffic if it it's not legit. In contrast to a regular firewall it can filter сontent of certain web-applications. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

Let's Work Together

Made on