Defend Your Cookies with Essential Web Security Tactics

Evergreen

🌳

Last tended Feb 08, 2020

Web Development

Illustrated Notes

Between IoT botnet attacks, Bitcoin ransomware, and the weekly cadence of high-profile data breaches, doing anything on the internet feels like playing Russian Roulette.

And that's just for normal people using it.

If you're a developer, you're partially responsible for protecting all those normal people from the horrors of whatever

LulzSec

are up to right now. The least you can do is make sure your website isn't an accessory to their nefarious activities.

Thankfully, you do not have to brave the black hat darkness alone.

Mike Sherov

made an

egghead

course that covers a whole series of web security essentials

Course illustration of objects in 3D space

I am (thankfully) not responsible enough for anyone to put me in charge of security for an important website. But I was still curious.

I wanted to know what the current landscape of internet risk looks like. How, exactly, is LulzSec going to hack into my mainframe in 2020?

Here's my illustrated notes from Mike's course that should give you a big picture overview of what to should look out for.

Web security essentials - Let's look at three common attacks

Turns out there's a small set of fairly well-known and easy to defend attacks that we can protect ourselves from:

Man in the Middle (MITM)
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)

Shielding yourself from these three is a great starting point. It's at least enough to keep the

script kiddies

out.

First, man in the middle is a piece of software that intercepts data between a client and a server

If this connection is over HTTP all your data packets are readable cleartext. Anyone on the network can use a packet sniffer to see your data. Instead we use HTTPS to encrypt packets.

How to protect yourself. Use HSTS headers. Require HTTPS everywhere. Redirect HTTP to HTTPS

Cross-site request forgery is an attack that tricks the user into visiting a malicious site while they're already logged into a trusted site

This is possible because browsers send cookies between sites by default. How to protect yourself. Cookies come with a 'sameSite' property that prevents them from being passed between sites. Set it to 'lax' or 'strict'

Cross-site scripting is an attack that injects malicious code into a trusted site. This can happen is the site allows user input to appear on the page without validating or encoding it. Protect yourself with a content security policy which manages which types of resources are allowed to load and where

Keeping out this trio of attacks will go a long way.

If (unlike me) you are responsible enough to be in charge of security for a moderately-sized website, it might be worth double checking you have these protections in place.

Better safe than sorry. Especially when sorry means you end up on the front page of Hacker News in this week's edition of obviously preventable security breaches.

The fully illustrated notes on web security essentials

Want more illustrated notes on web development?

Take a look at

Testing Apps with Cypress

The JAMStack, Gatsby & Contentful

A Fresh Serving of JavaScript ES2019

Linked References

The Art and Craft of Gatsby Themes

More illustrated notes, this time on Gatsby themes . They're one of the newer features in Gatsby.js – little building blocks of site functionality you can mix n' match n' share on NPM. Chris…

Speaking the GraphQL Query Language

GraphQL is undoubtedly one of the popular kids on the Web Development playground right now. If you haven't heard of GraphQL, the TLDR is that it's a new way to request data from an API. If you're…

Instachatting with Vue & Socket.io

The intantness of chat apps has always been a mystery to me. The technical details of moving emojis through The Internet Pipes and across continents in 0.004 miliseconds is well beyond my paygrade…

Want to share?

Tell Twitter About It