These are some very basic notes I took during @TroyHunt’s talk at NDC London yesterday. It was a great talk and these are some very simple tips. Of course if you’re a web developer you may well already know this stuff, but apparently a surprising number of sites do not take these basic measures.
-
Protect against cross-site scripting by using the x-xss-protection response header, and also set the extra value that allows you to report on any cross-site attack attempts – you can set it so that attempts are reported but not blocked
-
Cross site scripting : https://en.m.wikipedia.org/wiki/Cross-site_scripting
-
the x-xss-protection response header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
-
-
Make sure you build a CSP using the content-security-policy header, and use the report-uri value to report any security breaches
-
This will prevent people from injecting innocuous-looking javascript that could be, for instance, capturing CVVs input by users (this is how the Ticketmaster leak happened, and it was via a third party component (from Inbenta), not Ticketmaster’s own front-end code)
-
!! I couldn’t verify from a quick Google search that the Ticketmaster breach could have been avoided by the use of a CSP, so I’m not 100% sure I got that detail correct.
-
content-security-policy header : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
-
-
Make sure your site has a populated security.txt which has details of how somebody can alert you if they have detected a data breach
-
For instance Troy Hunt has encountered significant problems in getting hold of the correct contact details when alerting site owners of breaches detected by haveibeenpwned.com (see images)
-