5 Easy Wins for Web Application Security

Web application security is a complex and dynamic field of cybersecurity. Fortunately, there are a few things that you can do to bring quick and measurable improvements to your web application security posture.

5 Easy Wins for Web Application Security

Win #1: Enforce Secure HTTPS Communication with HSTS

Nearly all modern websites and web applications use HTTPS to ensure secure communication and authenticate the server. However, simply serving HTTPS pages does not guarantee that HTTPS will always be used. To prevent attackers from downgrading the connection to a less secure protocol, you can configure HTTP Strict Transport Security (HSTS).

The Strict-Transport-Security HTTP response header allows the web server to indicate that content from the requested domain will only be served over HTTPS. By adding this header, you can guarantee secure and encrypted communication and eliminate plain HTTP connections.

When implementing HSTS, you need to be careful to avoid configuration errors that could make your site inaccessible or allow attackers to downgrade HTTPS connections. Invicti checks for missing and incorrect HSTS headers.

For more information, read Why Websites Need HSTS.

Win #2: Mitigate XSS Threats with Content Security Policy (CSP)

Attacks such as cross-site scripting (XSS) and clickjacking often rely on loading scripts from an untrusted source. By adding suitable Content-Security-Policy headers and directives to your web pages, you can specify permitted content sources to prevent many attacks. CSP also includes features that improve code security, for example by disallowing inline code.

Implementing CSP for new sites and applications is relatively straightforward and the main challenge is to define policies that provide maximum security without hindering access. In extreme cases, badly configured CSP headers can block legitimate content or open the way to attacks. For legacy sites where inline code is still used, you may need to add temporary exceptions so you don’t break the existing site. Invicti checks for the presence and correctness of CSP headers in the websites it scans.

For detailed information, see Using Content Security Policy to Secure Web Applications.

Win #3: Use the Right Combination of HTTP Security Headers

While HSTS and CSP headers are a must for any secure website, there are many other HTTP headers that can be configured to improve security without changing code. These include:

  • X-Frame-Options: Controls when the page can be loaded into an iframe. To prevent clickjacking attacks, you can block all attempts, allow for requests from the same origin, or allow only for specific URLs.
  • Content-Type: Specifies the content type. All HTTP requests and responses should set the correct content type to avoid CSRF and content type sniffing attacks.
  • X-Content-Type-Options: Specifies how Content-Type headers are treated. The only directive is nosniff to protect from MIME sniffing attacks and force the browser to strictly observe the content type specified in headers.
  • Referrer-Policy: Controls how much referrer information is revealed to the web server. To prevent referrer information from being leaked across domains, you can specify if and how much information should be revealed.

Many of these can be implemented not just in server headers but also in page meta tags. This makes it possible to improve security without changing the web server configuration.

For detailed information, see our whitepaper on HTTP security headers.

Win #4: Train Developers to Minimize Injection Vulnerabilities

In theory, application vulnerabilities wouldn’t exist if they were never introduced, so security training for developers should solve the problem. Of course, it doesn’t work that way in the real world. Web application developers need to juggle many skills and requirements to deliver features and products on a deadline. Training developers to recognize and avoid all known vulnerabilities would be completely impractical and counterproductive – but even so, there is a relatively easy win waiting here.

The most common and dangerous web application vulnerabilities all have a common denominator: improper input validation or neutralization. Cross-site scripting, SQL injection, buffer overflows – many of these vulnerabilities can be mitigated or eliminated with careful input processing and validation. If everyone involved in web application development, from designers and developers to QA testers, is trained to look for vulnerable constructs and data flows that process user-controlled inputs, you can eliminate many high-impact vulnerabilities from new code.

In a large organization, even such limited training is unlikely to be cheap or easy, so why is this an easy win? Simple: just compare the cost of training to the time, effort, and cost required to find and fix a critical injection vulnerability in production or deal with the consequences of a data breach or other successful attack. If everyone knows how injection vulnerabilities are introduced and how to avoid them, you can prevent many high-impact injection attacks.

Win #5: Pick Tools that Make Security Easier

Web application security teams are usually small, even though in a large organization, they can be responsible for securing hundreds of websites. The only way to work effectively is to eliminate all unnecessary steps and automate everything that doesn’t require human intervention. Your choice of tools can make the difference between streamlined, effective web application security and tedious manual workflows that always leave your team with more to do.

The ultimate goal is to secure every web application and website in your organization. To do this, you need accurate and confident automation at every step, starting with asset discovery. Next comes the scanning phase, where you need accuracy to find vulnerabilities. You also need 100% confidence in your scan results to eliminate all unnecessary manual work and automate responses. To cut down on clicking and waiting at each stage, you need integration with your existing workflows and tools.

Invicti is the only solution on the market that can provide all this in an integrated package backed by world-class technical support. With Proof-Based Scanning technology, you get automatic verification for vulnerabilities that are definitely not false positives and don’t need manual checking. Compared to traditional vulnerability scanners where every result might be a false positive, this is a game-changer.

The time to value for typical web security programs is counted in months. With Invicti, you can start seeing improvements in just a few days. It really is an easy win.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.