Top tips for secure web applications
I am looking for easy steps that are simple and effective in making a web application more secure.
What are your top tips for secure web applications, and what kind of attack will they stop?
Microsoft Technet has en excellent article:
Here are the topics for the tips answered in that article:
- Never Directly Trust User Input
- Services Should Have Neither System nor Administrator Access
- Follow SQL Server Best Practices
- Protect the Assets
- Include Auditing, Logging, and Reporting Features
- Analyze the Source Code
- Deploy Components Using Defense in Depth
- Turn Off In-Depth Error Messages for End Users
- Know the 10 Laws of Security Administration
- Have a Security Incident Response Plan
Do not trust user input.
Validation of expected data types and formatting is essential to avaoiding SQL injection and Cross-Site Scripting (XSS) attacks.
- Escape user provided content to avoid XSS attacks.
- Using paremeterised SQL or stored procedures to avoid SQL Injections attacks.
- Running the webserver as an unprivileged account to minimise attacks on the OS.
- Setting the webserver directories to an unprivileged account, again, to minimise attacks on the OS.
- Setting up unprivileged accounts on the SQL server and using them for the application to minimise attacks on the DB.
For more in depth information, there is always the OWASP Guide to Building Secure Web Applications and Web Services
Some of my favourites:
- Filter Input, Escape Output to help guard against XSS or SQL injection attacks
- Use prepared statements for database queries (SQL injection attacks)
- Disable unused user accounts on your server to prevent brute force password attacks
- Remove Apache version info from HTTP header (ServerSignature=Off, ServerTokens=ProductOnly)
- Run your web server in a chroot jail to limit damage if compromised
OWASP is your friend. Their Top Ten List of web application security vulnerabilities includes a description of each problem and how to defend against it. The site is a good resource for learning more about web application security and is a wealth of tools and and testing techniques as well.
Set the secure flag on cookies for SSL applications. Otherwise there is always a highjacking attack that is much easier to conduct than breaking the crypto. This is the essence of CVE-2002-1152.