Sunday, December 16, 2018

Web-Site Security considerations



There are many factors to consider if you want to publish a secure web site or web site pages. Especially if it is to support business functions and expose it internally or externally.

The following considers using ASP.NET Core 2.1, but is equally relevant for Java Server pages.

You have to implement at least the following.

1. A secure method for users to log in. Passwords that are stored on the server should be non readable and encrypted. (So even system admins can not see it). You can create a hashed storage for the password. Add a "salt" so equal passwords are not stored the same. 

2. Encrypting with a secret code that is not part of code you check in and should not be stored in a configuration file on the server.

3. Using access tokens after login and use required authorization on pages. When a user is not logged in it forces the Web-app to go to a login page.

4.  You must implement a Role based authentication system. Otherwise malicious users/hackers can use their token to randomly query your API.

5. Using HTTPS to encrypt all traffic between client and server.

6. Using a strategy to implement CORS (cross-origin requests). See https://docs.microsoft.com/en-us/aspnet/web-api/overview/security/enabling-cross-origin-requests-in-web-api. Only allow origins from the web server serving your HTML pages. Not from random clients. Store dev , test and prod origins in confugurations on the API server.

7. Adding a certificate to your site.

8. And finally there are infrastructural measures you have to implement before people get to your server like firewalls, proxy servers etc.

After all have been implemented it is important to perform a penetration test, preferably by experts in the field. 













No comments: