Securing web applications¶
Web applications combine authentication, authorisation, session management, database access, and file handling into a single interface. Each of those components has recognisable failure modes, and most real-world vulnerabilities are variations on a small set of patterns. The pages here address those patterns at the code level: what produces the vulnerability, and what prevents it.
Most vulnerabilities are recognisable patterns. The work is applying the controls consistently.
- Runtime hardening and exposure reduction
- Secure coding
- Input validation
- Output encoding
- Authentication
- Caching security
- File upload security
- JavaScript security
- Python security patterns
- Broken access control
- Application logic security
- Clickjacking
- CORS and same-origin policy
- Cross-site request forgery
- Information disclosure
- HTTP Host header injection
- Insecure direct object references
- Path traversal
- Race conditions
- Command injection and unsafe deserialization
- Open redirects
- Server-side request forgery (SSRF)
- HTTP request smuggling
- WebSocket security
- Single sign-on security
- Secrets in version control
- Cross-site scripting (XSS)
- XML external entity injection
- Library and dependency security
- TLS/SSL hardening
- Database security
- Preventing and handling API breaches
- Security testing