Updated: Jan 10, 2020
In this post I will go over the main elements that need to be implemented in order to be confident with the security of your web application. This is not a comprehensive list, but those elements are critical to get closer to an A+ rating.
All our web applications include those elements by default in order to ensure our client that they can use our products safely.
Protection of the web application
Cross-origin resource sharing
Cross-origin resource sharing is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.
Your goal is for your web application’s content to be visible via cross-origin resource sharing files or headers but is restricted to specific domains.
This setting is important because it ensure that foreign sites cannot read your content and access unauthorized information.
Redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened.
Your goal is to ensure that the flow of redirection is made under Hypertext transfer protocol secure (or HTTPS).
This setting is important because it ensure that the HTTPS setting is fully applied on your web application.
Hypertext Transfer Protocol Secure is an extension of the Hypertext Transfer Protocol. It is used for secure communication over a computer network and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security.
HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are methods used to secure and encrypt sensitive information like credit cards, usernames, passwords, and other private data sent over the Internet. Website pages secured with SSL and TLS are those branded with the HTTPS in their URL address.
Anything (including people, software, computers, and devices) who exchange sensitive information on any network, including the Internet and Web, needs to use SSL/TLS. Sensitive information includes things like username and passwords, credit card numbers, or any other data that needs to be kept private. Therefore, it is very important to ensure your web application comes with the appropriate certificates.
Management of the accesses
A one-time password (OTP), also known as one-time pin or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid a number of shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has (such as a small keyring fob device with the OTP calculator built into it, or a smartcard or specific cellphone) as well as something a person knows (such as a PIN).
It is very important to include such a process in your authentication flow as it reduces the risk of hacking someone’s accesses to the web application and therefore jeopardize the content. It must come with the appropriate hashing of any password as well as a requirement for non-trivial password (mix of letters and numbers, minimum of characters …).
Management of accesses is the mean by which certain users could give access to certain aspect of the web application. It important in most web application to build this capability as it ensures that the user can have access only to the relevant information. Also, it is something that users are seeking as it ensures a segregation of information that is also relevant to most use-cases.
Want more information?
Please contact us at firstname.lastname@example.org