SafeGuard your WebApplication from cyber-attacks by Strengthening the WebServer
WebServers play an extremely important role and all of us are aware of the critical impact they have on any Web project. In addition to safeguarding the application itself, it would be a good practice to think about securing every network component itself, which is associated with the development process. Web servers are the first line of defense for any Web Application, They form an integral part of project development and it is always a safe practice to strengthen those servers against being vulnerable to cyber-attacks.
To safeguard your web application, The OWASP Top 10 is a great starting point.
The majority of these threats can be avoided by adding more security to the Webserver.
To demonstrate this, I have used NGINX WebServer with a sample HTML Page. At this point, there is no security added at the WebServer layer. As a result, the security report will give an F-grade.
Below is the list of vulnerabilities found in the report
- SQL Injection
- Missing Headers
- X-Frame-Options
- Strict-Transport-Security
- X-XSS-Protection
- X-Content-Type-Options
- Content-Security-Policy
- Referrer-Policy
- Feature-Policy
- X-Permitted-Cross-Domain-Policies- Nginx Version disclosure
- Some SSL Related Vulnerabilities
- No SSL Certificates Installed
- Unsecure SSL Protocols Enabled
- Unsecure SSL Ciphers EnabledAdded the below Nginx Headers to resolve the majority of the above-listed vulnerabilities.
The same headers are available in tomcat as well. The Value of each header can be modified as per the web site requirements. Refer to the below URL for more details.
post implementing all the security headers on the WebServer, it scored an A-Grade from security perspective.
Bonus Tips for Secure Coding
- Automate Security Functions
An automated check on the application at every development stage completion would help in a big way. The automation processes can be used to test the web application for its performance, Also can be tested for vulnerability against cyber-attacks.
- Generate a mock the security attack and test for stability
A good practice in an organization would be mocking the security attack and validating how the web application performs. This would help the developers to tackle this situation beforehand while coding.
- Monitor All Traffic(Inbound & Outbound)
Nowadays the data transmission over the network is humongous, hence its crucial to identify the suspicious traffic and block them immediately. This is best done by setting up firewalls and frequently testing the abilities of those firewalls as well as designing methods to improve their performance.
- Encrypt all data
Web protocols are used while exchanging the data between the web client and the server. HTTPS, the most secure protocol should be used for encrypted data transmission.
- Be updated about new types of vulnerabilities
Ignorance may be bliss, but it’s pretty risky in some situations. Hence, keeping yourself updated with the latest vulnerabilities and means to tackle them would be a good practice to protect your applications from attack or unanticipated failure.
- Focus on Key Threats
Though keeping a track of the latest types of threats will surely help, it would be a good practice to focus more on the key threats that require continuous monitoring. Sometimes, the problems which we would have already heard about earlier and solved, could come up again and throw a different type of challenge as a Surprise!
- Formulate a strategy and document your solutions
This is an extremely important practice. As a knowledge database, document your study of either a persisting problem or a new problem and your solution for that. The approaches used and the troubleshooting procedure could be very useful at critical junctures.
“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” -Stephane Nappo
Happy Coding !!!
