We have listed here the most important security-related things for our web application that we can add to our site and can prevent it from cross-site scripting and other vulnerabilities.
These tips also improve your page loading performance as well as page ranking score.
- Contents security policy
- HTTP Strict Transport Security
- Sub-resource Integrity
1. Contents security policy:-
The Content Security Policy ( CSP ) standard is a way to selectively specify which content or resource should be loaded in web applications that means It will restrict the unwanted sources to load in our web application and only load which we will specify in the page header.
It prevents our site from cross-site scripting vulnerabilities, clickjacking, mixed content security issues, protocol downgrading and any other kind of code injection.
Here we can whitelist the domain and resources from where we allowed only.
// Allows any source for content. <meta http-equiv="Content-Security-Policy" content="default-src *;">
// Allows any https source for content. <meta http-equiv="Content-Security-Policy" content="default-src https:">
2. HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.
We always try to search like
In the rare case, we write like https://wwww.example.com which makes a secure connection with the server.
But on the above other cases which make connection insure during request and then redirect it to the https which we do normally using redirect rule that is a bad habit because someone can attack in between on insecure request that is called the man in the middle attack.
So HSTS enforces the browser to make a secure connection with the server using HTTPS in any case and yes if the site is not https enabled then it has some fallback.
It uses HSTS cache (Called super cache).
It stored some bit information for you connection and different browser stored in a different way.
There are some parameters which we can set like
- Max-age (in a sec ):- Once the user agents (like browsers) make a connection with https it will remember till time gets expired.
Example :- Strict-Transport-Security: max-age=63072000
- preload:- It uses from the preload list which browsers make.
- includeSubDomains :- We can include subdomain also for the request.
// Example:- Set meta in header of web page. Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
3. Sub-resource Integrity
In order to create vulnerabilities in all websites that make use of that hosted library.
So this security feature giving an option to avoid if any changes made on it.
We can create hash key to set as integrity that will verify that correct resource.
Just put the URL of your CDN on the above site and it will generate a `script` tag with integrity.
// Example <script src="https://code.jquery.com/jquery-2.1.4.min.js" integrity="sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC" crossorigin="anonymous"> </script>
We can set the header as content-type for the request which we expect from the server.
it should not load scripts and style sheets unless the server indicates the correct MIME type.
# Prevent browsers from incorrectly detecting non-scripts as scripts X-Content-Type-Options: nosniff
To protect your site from clickjacking by set x-frame-option.
Don’t allow another source to be a iframe on your page.
# Only allow my site to frame itself Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN
Protect from cross-site scripting by the set option on Content-Security-Policy.
# Block pages from loading when they detect reflected XSS attacks X-XSS-Protection: 1; mode=block
My goal for this post is to aware you of these security things and you can read it more about it from a different sources.
If you have any questions about above any point you can comment on below comment box.
Thank you :>)