Important validations during HTTP request/response
What are the important Validations/Process开发者_C百科ing which can be done during the http request/response to protect web application from vulnerablities like cross site scripting cross site request forgery and any other security attacks?
There are tons of books on the topic which essentially boil down to garbage in, garbage out. Things to consider:
- Validate all input for malicious markup
- Escape strings before they go into a processing system like an SQL server
- Don't allow any vector for server or client side code injection
eval()
overuse - Bind sessions to IP addresses to catch session hijacking
- Use SSL if required and ensure users are aware of the risks
- Limit attempts on passwords, and don't indirectly expose information ie "We have your username, but the password is incorrect"
- Use signed cookies
- Only include source from trusted and verifiable third parties
- Use "I am human" verification such as a Captcha
- Be aware of spiders crawling through your site
The list goes on and on, and for every new technology you get more things to consider. Bottom line, have a security attitude that looks at things like an attacker would. How would you crack your own site? If you can't answer that, you need help from somone who can or read some books.
精彩评论