Table of Contents
Open Source !== Secure
It’s imperative to trust the vendors of your dependencies when using third-party packages in your development process. Developers tend to trust the idea of open-source software as ‘they can check the source’. However, there’s no guarantee that the source code visible online is actually the code downloaded into your system as a dependency.
With this in mind, it’s critical to ensure that you trust the vendors of your dependencies. Some companies prefer to only play with the huge players in the game, and will only with full-fledged frameworks that can offer most of the functionality that a website would ever require, such as jQuery, React, and Angular.
The downside to this approach however is that you often end up downloading more than you actually need and a user will end up downloading 400kb of files that they don’t need every request (depending on caching). – To assist with this, packages are being split, for example, jQuery has been shrunk massively in recent times, and jQuery core is now a thing.
Cross-Site Scripting (XSS)
If XSS issues are not resolved, they can result in malware spreading, account tampering, data theft, and even remote control over a user’s browser. There are many ways to remedy XSS, including escaping data, validating input, and sanitizing.
But to ensure your site is protected from this, you should stick to other security practices. OWASP, (Open Web Application Security Process), in an online community that offers free tools, tech, and code in regards to web application security.
Always use TLS certificates for communication with servers
When communicating with a server, it’s crucial that you use “https” to secure your information. A “Http” certificate is installed on the server itself and allows secure information transfer between your website (the client), and the functionality that processes your information (the server).
When using an “Http” certificate, a handshake is done between the client and server, ensuring that the correct encryption keys are used to secure the data between client and server. The client uses a public encryption key to encode the information sent which is in turn sent to the server, which uses a private decryption key that only the appropriate servers should have in order to turn the encrypted information back into a readable format.
Certificates are not a new thing, and many sites still have SSL certificates set up. Unfortunately, these are no longer considered secure and even if a website is set up with certificates, you should ensure that you are using TLS version 1.2 at minimum.
Avoid URL Injection
URL Injection occurs when a programmer/hacker has produced/injected brand new pages or assets on an already existing website. These pages can usually contain specific code that reroutes users to a different site or can potentially involve the business in attacks against other sites. These injections can be made through malware and software vulnerabilities, unsecured directories, or plug-ins.
Google’s Search Console is a possible way of identifying these pages, but nothing will beat manually checking. As soon as the affected pages have been identified, the pages should be changed to either protect the URL’s vulnerability, or the data source moved to something better for data transfer, like cookies or sessions. To prevent URL injection happening, you should protect your site with an adequate Firewall or use a gateway to route traffic on your website, this could act as a blanket to avoid any potential mishaps.
Use CORS Headers
Headers are parts of the packet of data transmitted in web technologies and are attached to every request to and from a server. Headers are used to describe requests and responses and often contain additional information related to the request, such as information about the current user or the menu items to display.
On a website, requests are made to many assets as each page loads, examples of which include a font, image, audio, etc. CORS (Cross-origin resource sharing), are headers you are able to create yourself which specifically defines the sources requesting information and checks if it is authorized to reference the resources of your website.
This means that servers must execute ways to manage any requests from outside sources from the origin. – In short, it will ensure that your google fonts always come from Google, and not from any nasty third parties trying to redirect your requests!