It’s crucial now, more than ever, to ship web applications with strong protection and security against cybersecurity attacks. To fully secure a web application, you need to secure each individual component as well. That means both the front-end and the back-end and also the server on which it is running.
Here are some general aspects that you should consider before deploying your application in 2021.
Although we can write code by following the guidelines and stick to the best practices, there may still be things we could omit, and it’s okay because we’re just human.
Therefore, we can take the application’s security one step further and use tools that can help us by scanning our code.
There are many tools nowadays that we can use and even integrate into our pipelines to perform an audit against our code.
We can go from simple tools like those that will scan the dependency graph of the application for known issues against a database up to the more complex ones. Tools can perform something known as IAST (Interactive Application Security Testing) by injecting agents in the application post build that runs in a test environment.
Regardless of which one you choose to use, a tool like this, even the simple ones, can be a great benefit in terms of your application’s security.
On top of this, it will also help with the dependencies that we are using. The app is made of the code that we write, plus the dependencies that we are using. Therefore, we must keep those dependencies secure and up to date.
Prevent Injection Attacks
To be precise, I mean the following types of attacks: SQL & NoSQL Injection, Cross-Site request forgery (CSR), and Cross-Site Scripting (XSS)
SQL & NoSQL Injection
SQL & NoSQL Injection was one of the most common types of attacks back in the days that still does some severe damage in the present.
This type of injection attack happens when a hacker injects valid code in a payload, which will be run unintentionally by the host.
For example, someone might send a valid SQL query at the time of login instead of a username and password that will cause the application to authenticate it as an administrator.
Similar to SQL or NoSQL Injection, we have Cross-Site Scripting or XSS Injection. If the previous one happens at the back-end and database level, this occurs on the client-side level.
Both of these types of attacks can be addressed by validation and sanitization. Validate inputs to detect malicious values that can also be valid code.
Cross-site Request Forgery
Lastly, but not least, we have CSRF. This one is very similar to XSS, but here the attacker tries to force or trick you into making a request which you did not intend. This could be sending you a link that makes you involuntarily change your password, send a message, withdraw money, and so on.
You can mitigate these types of attacks with the help of a token. Each request that hits your API must have a token that validates their originality and the fact that they are coming from your front-end application and not from somewhere else.
Improve server security
Securing the application itself is the first step; however, we must also create security layers on the server that we run the application.
Here is a short list of things to consider:
- Rate limit requests: an average user can only make a few requests per second, so if you see someone making hundreds of requests in a short amount of time, it could be a hacker who tries to bring the application down, so be sure to limit the number of requests that each IP can make; If the limit is violated, then block that IP for a short time
- Add a firewall: block the unused ports of your server and only allow the necessary ones with the help of a firewall;
- Create backups: things can go south for no reason, so make sure you back up your server or at least its data
- Restrict privilege: don’t let anyone do what they want on the server or in the database; Don’t use admin/root accounts, instead create separate accounts with restricted roles and use them instead
No application will be 100% secure, but by following the right steps and with the right actions, we can mitigate most of the attacks and reduce the damage of those that succeed.