Web security related resources
OWASP: Top Ten Critical Security Risks
Top 10 list of the most important web application security weaknesses. It also provides basic techniques to protect against these high risk problem areas. Some of those are explained in detail in the links and references below.
Article: Starting Up Security
A good introduction to company code and infrastructure security measures, not only for startups
Article: Security Breach 101
How to react calmly and go through all necessary steps when things went south and you got attacked. I hope you’ll never need it, but I highly recommend to have a process for handling security breaches.
Find known vulnerabilities in packages and frameworks.
CVE Security Vulnerability Database
General database for security vulnerabilities, exploits and references. You can search for product names, attack types, or CVE number (Common Vulnerabilities and Exposures)
Article: Checking for vulnerable Node.js modules
Describes tools to detect outdated/vulnerable packages and how to automate these steps in your build process
Get badges for your GitHub project, find outdated or vulnerable Node.js dependencies
Checks outdated dependencies in your GitHub project for different languages (commercial)
Requires.io keeps your python projects secure by monitoring their dependencies (commercial)
Integrate checks against the Node Security Project's advisories into your deployment process, including module code audit (commercial, beta)
Database security settings
- Security in MySQL
- Article: MongoDB - Security Weaknesses in a typical NoSQL database
- PDF: MongoDB at risk
Students of the Center for IT-Security, Privacy and Accountability discover Several thousand MongoDBs without access control on the Internet
- MongoDB Security Tutorials
- CouchDB – The Definitive Guide: Security
Secure communication: TLS
- How To Migrate To HTTPS
This document describes a series of steps you can follow to gradually migrate a small or large web site from HTTP to HTTPS.
Obtaining TLS certificates
A free and open Certificate Authority by Mozilla, Akamai, Cisco and the EFF, arriving mid-2015
ioerror/duraconf: Getting a free certificate
If you use this guide to generate a free certificate at StartSSL, make sure to use this command to generate a public/private keypair (original description is a bit outdated):
openssl req -new -newkey rsa:4096 -sha256 -keyout example.com.key -nodes -out example.com.csr
Buy SSL certs from the command line.
(Just a few examples, there are lots of different Certificate Authorities and vendors.)
Configuring your server, installing certificates
Assumed you have full administration rights on your server, the following links help you to get your TLS certificate up and running. If you don’t, please talk to your hoster if he is offering the use of TLS as well.
Mozilla SSL Configuration Generator
Generates the SSL configuration for Apache, nginx or HAProxy with the cipher suite combination best matching your server version and supported browsers
ioerror/duraconf: Secure configuration settings
Secure configuration settings for Apache, GnuPG, IIS, Lighttpd, nginx, postfix and sshd
Article: Adding an (SHA256 signed) SSL certificate
Remy Sharp goes through the process of installing a new SSL certificate
Article: 19.5% of HTTPS sites trigger browser warning as they use SHA-1 signed certificates
Why you should update your certificates if they still use a SHA-1 signature
Test your site’s certificate and configuration, your browser’s SSL implementation and learn how to deploy SSL/TLS correctly
Public Key Pinning
Security feature to associate your certificate's specific public key with your web server to prevent "Man In The Middle" attacks with forged certificates.
Safer interaction with the browser
OWASP: HTML5 Security Cheat Sheet
A good overview how to handle HTML5 features like Web Sockets, Storage APIs, Web Workers, iframes safely. Also lists some useful HTTP headers to encance security.
Talk: In the DOM, no one will hear you scream
Express: Set various security headers for your application (including Content-Security-Policy, HTTP Strict Transport Security, X-Frame-Options, XSS-Filter)
Application security for Express apps
Cross-Site-Scripting (XSS) prevention
Cross-Site-Scripting describes an attack of executing foreign (potentially malicious) code in the context of your website. It can for example extract cookies, security tokens, all sorts of user data and alter the content and functionality of your website.
- html5sec.org (GitHub)
Wide list of XSS vector examples and affected browsers. The GitHub repository contains links to further tools, file upload tests, feed reader XSS tests, etc.
Article: Finding Zero-Day XSS Vulns via Doc Metadata
XSS attacks can also occur where you wouldn't expect them in the first place. For example in metadata of files uploaded to your website (e.g. EXIF data stored in photos).
OWASP: XSS Filter Evasion Cheat Sheet
Test your XSS filtering with this list of different injection methods
HTML filtering implementation in PHP
HTML filtering implementation in Java and .NET
jPurify is a plug-in based on DOMPurify that automatically adds XSS-safety to jQuery. Early release.
The Content-Security-Policy HTTP header acts as a whitelist for different content types (scripts, stylesheets, images, webfonts, …) on your website. It helps to prevent execution of malicious code (e.g. through XSS attacks).
CSP Is Awesome
Generate a Content-Security-Policy header
hapi.js: A plug-in that makes Content-Security-Policy headers easy
Very simple Content Security Policy manager for Node.js
Cross-Site Request Forgery (CSRF)
In this attack, a malicious source causes the user’s browser to perform unwanted actions in the name of the currently logged in user on a website (e.g. editing/deleting data, creating posts).
Express: CSRF protection middleware
hapi.js: CSRF crumb generation and validation