Security

5 important tips that make your website most secure and high performance. by ON August 04 2019

We have listed here the most important security-related things for our web application that we can add to our site and can prevent it from cross-site scripting and other vulnerabilities.

These tips also improve your page loading performance as well as page ranking score.

  1. Contents security policy
  2. HTTP Strict Transport Security
  3. Sub-resource Integrity
  4. X-Content-Type-Options
  5. X-Frame-Options

1. Contents security policy:-

The Content Security Policy ( CSP ) standard is a way to selectively specify which content or resource should be loaded in web applications that means It will restrict the unwanted sources to load in our web application and only load which we will specify in the page header.

It prevents our site from cross-site scripting vulnerabilities, clickjacking, mixed content security issues, protocol downgrading and any other kind of code injection.

Here we can whitelist the domain and resources from where we allowed only.

// Allows any source for content.
<meta http-equiv="Content-Security-Policy" content="default-src *;">
// Allows any https source for content.
<meta http-equiv="Content-Security-Policy" content="default-src https:">
// Set custom option for all meta option under CSP.
<meta http-equiv="Content-Security-Policy" 
      content="default-src 'self' data: gap: 'unsafe-eval' ws: ; 
      style-src 'self' 'unsafe-inline'; 
      script-src https: *.example.com ;
      media-src 'none';
      font-src *;
      connect-src *;
      img-src 'self' data: content:;">

 <!-- Also can add below attributes as per requirement
      base-uri /abc/; - Limit to content in this folder  v2
      form-action ; - Limit where forms can be sent  v2
      VALUES
      'self' - Anything from the same origin
      data: - data-uri (base64 images)
      gap: - phonegap and cordova used by plugins on iOS
      ws: - web sockets
      * - Anything except data: and blobs
      filesystem: - Access things on the local filesystem
      blob: - Allow Binary Large Objects
      mediastream: - Allow streamed media
      content: - Used by Cordova
      'none' - Prevent anything in the category
      https: - Anything over https://
      *.example.com - anything from any subdomain of example.com
      'unsafe-inline' - Allow inline source elements like style attribute, onclick, or script tags. 
          'unsafe-eval' - Allow javascript eval(). 
          -->

2. HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.

We always try to search like example.com or www.example.com or http://www.example.com

In the rare case, we write like https://wwww.example.com which makes a secure connection with the server.

But on the above other cases which make connection insure during request and then redirect it to the https which we do normally using redirect rule that is a bad habit because someone can attack in between on insecure request that is called the man in the middle attack.

So HSTS enforces the browser to make a secure connection with the server using HTTPS in any case and yes if the site is not https enabled then it has some fallback.

It uses HSTS cache (Called super cache).
It stored some bit information for you connection and different browser stored in a different way.

There are some parameters which we can set like

  1. Max-age (in a sec ):- Once the user agents (like browsers) make a connection with https it will remember till time gets expired.
    Example :- Strict-Transport-Security: max-age=63072000
  2. preload:- It uses from the preload list which browsers make.
  3. includeSubDomains :- We can include subdomain also for the request.
// Example:- Set meta in header of web page. 
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload

3. Sub-resource Integrity

Attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs)
In order to create vulnerabilities in all websites that make use of that hosted library.
So this security feature giving an option to avoid if any changes made on it.

We can create hash key to set as integrity that will verify that correct resource.

https://www.srihash.org

Just put the URL of your CDN on the above site and it will generate a `script` tag with integrity.

// Example
<script src="https://code.jquery.com/jquery-2.1.4.min.js"
integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC"
    crossorigin="anonymous">
</script>

4. X-Content-Type-Options

We can set the header as content-type for the request which we expect from the server.

it should not load scripts and style sheets unless the server indicates the correct MIME type.

# Prevent browsers from incorrectly detecting non-scripts as scripts

 X-Content-Type-Options: nosniff

5. X-Frame-Options

To protect your site from clickjacking by set x-frame-option.
Don’t allow another source to be a iframe on your page.

# Only allow my site to frame itself
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN

X-XSS-Protection

Protect from cross-site scripting by the set option on Content-Security-Policy.

# Block pages from loading when they detect reflected XSS attacks
X-XSS-Protection: 1; mode=block

My goal for this post is to aware you of these security things and you can read it more about it from a different sources.

If you have any questions about above any point you can comment on below comment box.

Thank you :>)

author's avatar ALL POST
Knowledge contribution is better than any contribution.
LEAVE A COMMENT

Leave a Reply

Your e-mail address will not be published. Required fields are marked *