Plan for security from the start.
Keep it simple to keep the attack surface minimum.
Model possible threats.
Ask what can go wrong.
Any user input is an attack vector.
Never trust any input, always validate, always sanitize
Libraries and network calls are attack vectors.
Use well-known tried and tested libraries only,
and keep them updated
use HTTPS, don’t allow HTTP access to secure pages
Enforce strong passwords,
never keep plain-text passwords,
do not encrypt passwords,
hash them with a salt
Write exploit code to test your patches
Don’t try to roll your own security solutions, it’s a community effort
Log suspicious activity,
like failed login attempts,
statistically rare or unexpected events
Avoid security through obscurity
Do not hide secrets in code,
make sure they won’t end up in public repos
Be aware of buffer overflow attacks
Consider all cases, allow, disallow, exception
No system is 100% secure, security is an example of “unknown unknowns”
Use 2-factor auth
Add exponential delay to repeated login attempts
Lock account after repeated failed login attempts
Use authorization levels.
Least privilege, never grant more access than required.
Separation of privileges, so your system is not all or nothing
Use allow-lists, not block-lists
Parametrize SQL queries to prevent SQL injection
They are mainly used for managing sessions, tracking, and personalization
__Host- to restrict cookie on a specific domain (no subdomains)
Prepend cookies with
__Secure- to prevent them from being overwritten.
__Host- prefix is stricter than
Expires set an expiration
Secure header make cookies HTTPS
SameSite to prevent sending the cookie via cross-origin requests
document.cookie = "_Host-username=Jane; Secure; HttpOnly; Path=/; SameSite=Strict";
Cross-site request forgery CSRF
CSRF is forgery of a valid request.
It is possible to forge a fake request if
- the only mechanism to track user session is a cookie,
- all request parameters predictable
To prevent it, we need at least one unpredictable parameter, a CSRF token.
This token is a large random value, unique per user & per user session.
Make sure your forms have CSRF tokens.
CSRF tokens should not be sent within cookies.
SameSite header to forbid sending the cookie via cross-origin requests
Cross-origin Resource Sharing (CORS)
an origin is a tuple of protocol:host:port
Access-Control-Allow-Origin: https://x.com:8081 only the specified origin can access
Access-Control-Allow-Origin: * every origin can access
By default, browser XMLHttpRequest or fetch APIs allows same-origin only
Access-Control-Allow-Origin to manage CORS
integrity to verify a resource is not modified on the way
X-Frame-Options: DENY to disallow allow attempts to iframe site
Cross-site scripting XSS
It is injecting malicious code into a website so user’s browser executes it
To prevent, validate and encode. For example
<script> would be encoded as
Content Security Policy header
so the browser will run only allow the white-listed scripts and assets
an example CSP response header
Content-Security-Policy: default-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' 'https://i.imgur.com'; font-src 'https://fonts.googleapis.com';