Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
README.md

README.md

Web security related resources

  • OWASP: Top Ten Critical Security Risks
    Top 10 list of the most important web application security weaknesses. It also provides basic techniques to protect against these high risk problem areas. Some of those are explained in detail in the links and references below.

  • Article: Starting Up Security
    A good introduction to company code and infrastructure security measures, not only for startups

  • Article: Security Breach 101
    How to react calmly and go through all necessary steps when things went south and you got attacked. I hope you’ll never need it, but I highly recommend to have a process for handling security breaches.

Secure foundations

Dependencies

Find known vulnerabilities in packages and frameworks.

Database security settings

Secure communication: TLS

  • How To Migrate To HTTPS
    This document describes a series of steps you can follow to gradually migrate a small or large web site from HTTP to HTTPS.

Obtaining TLS certificates

  • Let’s Encrypt
    A free and open Certificate Authority by Mozilla, Akamai, Cisco and the EFF, arriving mid-2015

  • ioerror/duraconf: Getting a free certificate
    If you use this guide to generate a free certificate at StartSSL, make sure to use this command to generate a public/private keypair (original description is a bit outdated):
    openssl req -new -newkey rsa:4096 -sha256 -keyout example.com.key -nodes -out example.com.csr

  • SSLMate
    Buy SSL certs from the command line.

(Just a few examples, there are lots of different Certificate Authorities and vendors.)

Configuring your server, installing certificates

Assumed you have full administration rights on your server, the following links help you to get your TLS certificate up and running. If you don’t, please talk to your hoster if he is offering the use of TLS as well.

Secure applications

Safer interaction with the browser

  • OWASP: HTML5 Security Cheat Sheet
    A good overview how to handle HTML5 features like Web Sockets, Storage APIs, Web Workers, iframes safely. Also lists some useful HTTP headers to encance security.

  • Talk: In the DOM, no one will hear you scream
    A journey into the moldy layer between HTML and JavaScript

  • helmet
    Express: Set various security headers for your application (including Content-Security-Policy, HTTP Strict Transport Security, X-Frame-Options, XSS-Filter)

  • lusca
    Application security for Express apps

Cross-Site-Scripting (XSS) prevention

Cross-Site-Scripting describes an attack of executing foreign (potentially malicious) code in the context of your website. It can for example extract cookies, security tokens, all sorts of user data and alter the content and functionality of your website.

  • html5sec.org (GitHub)
    Wide list of XSS vector examples and affected browsers. The GitHub repository contains links to further tools, file upload tests, feed reader XSS tests, etc.

Article: Finding Zero-Day XSS Vulns via Doc Metadata
XSS attacks can also occur where you wouldn't expect them in the first place. For example in metadata of files uploaded to your website (e.g. EXIF data stored in photos).

Content-Security-Policy (CSP)

The Content-Security-Policy HTTP header acts as a whitelist for different content types (scripts, stylesheets, images, webfonts, …) on your website. It helps to prevent execution of malicious code (e.g. through XSS attacks).

Cross-Site Request Forgery (CSRF)

In this attack, a malicious source causes the user’s browser to perform unwanted actions in the name of the currently logged in user on a website (e.g. editing/deleting data, creating posts).