security

Aspects of security

Transport Layer Security TLSensures the communication of data and resources between the user and the websites is secure. HTTPS, compared to HTTPS uses TLS to encrypt all communication between the client and the server.

Protocol versionsthe TLS version used has to be up-to-date. TLS v1.3 is the latest and was released in August 2018 by IETF. It’s much faster and is more secure than TLS v1.2. Many of the major vulnerabilities in TLS v1.2 had to do with older cryptographic algorithms which TLS v1.3 removes.

Cipher suitesa set of cryptographic algorithms that the client and server must agree on before they can begin communicating securely using TLS.

Certificate Authority CAis a company or organization that issues the TLS certificate to the websites that can be recognized by browsers and then establish a secure communication channel with the website.

HTTP Strict Transport Securitya response header that informs the browser to automatically convert all attempts to access a site using HTTP to HTTPS requests instead.

Cookies

Cookiesare a set of data about the user sent from server to the browser. Usually for the purpose of session management, personalization, tracking and other stateful information related to the user over different requests. Not setting cookies properly, makes it susceptible to many different forms of attacks such as session hijacking, Cross-Site Request Forgery (CSRF), Cross-Site Script Inclusion (XSSI) and various other Cross-Site Leak vulnerabilities.

Cookie attributesTo defend against the above mentioned threats, developers can use 3 different attributes in a cookie: HttpOnly, Secure and SameSite. The Secure attribute is similar to the HSTS header as it also ensures that the cookies are always sent over HTTPS, preventing Manipulator in the Middle attacks. HttpOnly ensures that a cookie is not accessible from any JavaScript code, preventing Cross-Site Scripting Attacks.

SameSiteSameSite attribute can be used to prevent CSRF attacks by telling the browser whether to send the cookie to cross-site requests. Strict value allows the cookie to be sent only to the site where it originated while Lax value allows cookies to be sent to cross-site requests only if a user is navigating to the origin site by following a link. For None value, cookies are sent to both originating and cross-site requests. If SameSite=None is set, the cookie’s Secure attribute must also be set (or the cookie will be blocked).

There are 2 different kinds of cookies: first-party and third-party.

First-party cookiesusually set by the server that you are visiting.

Third-party cookiescreated by third-party services and are often used for tracking and ad-serving.

Cookie ageThere are two different ways to set the time when a cookie is deleted: Max-Age and Expires. Expires uses a specific date (relative to the client) to determine when the cookie is deleted whereas Max-Age uses a duration in seconds.

Content inclusion

Content inclusiona website’s content is frequently loaded from external service providers like content delivery networks (CDNs) in order to reduce worldwide networking round-trips just to serve the content. Incidents of Magecart attacks that target website content systems and inject persistent malware through means of cross-site scripting (XSS) vulnerabilities and others, are on the rise and make content inclusion of higher importance.

Content Security Policyadds a defense-in-depth layer in order to mitigate attacks such as code injection via cross-site scripting, or clickjacking and others, by defining which types and source of content are allowed.

Subresource Integrityensures that said content hasn’t been modified for malicious intents.

Permissions Policysince browsers are becoming more and more powerful with time, adding more native APIs to access and control different sorts of hardware and feature sets that are made available to websites. These APIs introduce potential security risks to users through misuse of said features, such as malicious scripts turning on a microphone and collecting data, or fingerprinting geolocation of a device to collect location information.

Iframe SandboxHTML <iframe> elements by default have access to top-level page capabilities such as pop-ups or direct interaction with the top-page browser navigation. Therefore <iframe> elements can be subject to clickjacking attacks.

Attack prevention

Security header adoptionsrestrict different kinds of malicious traffic and data flow. The most widely used security mechanism is the X-Content-Type-Options header, used to protect against MIME-sniffing attacks.

Content Security Policy (CSP)determine the trusted sources from which content can be loaded safely. One of the common ways to prevent clickjacking attacks is to prevent the browser from loading the website in a frame. One can use the frame-ancestors directive in a CSP Header to restrict other domains from including the page content in a frame.

Cross-Origin policies (CORS)Cross Origin policies are one of the main mechanisms used to defend against micro-architectural attacks like Cross Site leaks. XS-Leaks are kind of similar to Cross Site Request Forgery, however they infer small pieces of information about the user which are exposed during interactions between websites.