Web Application Security
Web Application security is a huge field but there are some especially important common concepts.
Perhaps the single most important web security concern has to do with what code gets executed in a browser. Applications that do not properly encode data for the browser can inadvertently allow attackers to run arbitrary code through cross site scripting vulnerabilities. No matter what language or framework you are working in, if you are building a web application you should familiarize yourself with the idea behind cross site scripting and ensure that your application takes the fundamental steps to avoid it by encoding output.
What is output encoding? Output encoding is the difference between a less than sign: < and the beginning of a tag, for example: <script>. What we want is for the browser to render the less than sign. What we do not want is for the browser to treat the less than sign as a signal that code is present and evaluate it. Note that encoding rules are complicated and may be different depending on where in the document you are (HTML attribute versus body).
Browser are in the party. Browsers have the ability to help us protect ourselves from malicious code and some other types of security problems if we ask them properly. This is where security related HTTP Headers come in. By passing security headers we signal to the browser how we want to treat the content of the page.
Resources
Support or Contact
Having trouble with the developer pages? Help us update them or [email protected] and we’ll help you sort it out. See something wrong? Get involved and help us fix it!