Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Web Security Crash Notes #151

Open
reboottime opened this issue Jul 24, 2023 · 3 comments
Open

Web Security Crash Notes #151

reboottime opened this issue Jul 24, 2023 · 3 comments

Comments

@reboottime
Copy link
Owner

reboottime commented Jul 24, 2023
edited
Loading

References
@reboottime
Copy link
Owner Author

reboottime commented Jul 24, 2023
edited
Loading

What is security attack and its impact

  • The impact of security vulnerability: Influence both users ( such as personal info, and mislead to a malicious site and the business due lost trust of users.
  • what is security attacks: When a malicious party uses vulnerabilities or lack of security features to their advantage to cause damage, it is called an attack.
    • Active : break the app directly: DDDOS, using false identity, via data transit
    • Passive : the attacker tries to collect or learn information from the application but does not affect the application itself.

Data transit illustration:

image

Some Basics

  • definition of origin
image - definition of site: a combination of schema and top level domain, For example, given a URL of https://www.example.com:443/foo , the "site" is https://example.com.

Security headers

https://web.dev/security-headers/

@reboottime
Copy link
Owner Author

reboottime commented Jul 24, 2023
edited
Loading

Secure connection via HTTPs

Some common terms you may see from browser

  • Mixed content occurs when initial HTML is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection.

Why HTTPs matters

- http vs https:

  • https: The communication between sender and receiver is encrypted
  • http: the communication between the sender and receiver are in plain text
image

HTTPS practices for a web dev

This article talks about enabling https on your server

  • Tell browser that you prefer using HTTPS
  • use intrasite URLs, for example: //example.com/settings.js
  • redirect HTTP to HTTPs, to tell browser that your website prefers HTTPS over HTTP, and here is a sample code
<!DOCTYPE html>
  <html>
  <head>
  
      <link rel="canonical" href="https://www.example.com/blog/example-blog-post" />
      <!-- Other meta tags, CSS, JavaScript, etc. -->
  </head>
  <body>
      <!-- Content of the blog post page 1 -->
  </body>
</html>
  • Secure cookies
    • max-age
    • httpOnly
    • SameSite

@reboottime
Copy link
Owner Author

Preventing your website from XSS

@reboottime reboottime changed the title Web Security Crash Notes for interview Web Security Crash Notes Jul 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@reboottime