In today's digital landscape, web application security is of paramount importance to protect sensitive user data and maintain user trust. The Mozilla Observatory is a powerful tool that can help developers assess the security posture of their web applications. In this talk we'll learn how to improve the security of web applications using the Mozilla Observatory.
How to Improve Your Web Application's Security Using Mozilla Observatory
AI Generated Video Summary
The Talk discusses how to improve web application security using Mozilla Observatory. It covers topics such as evaluating security headers, maintaining grade history, and implementing content security policies. The importance of securing cookies and enabling HTTP to HTTPS redirection is emphasized. The use of referrer headers to control browser behavior and sub-resource integrity to prevent compromising files are also highlighted.
1. Introduction to Mozilla Observatory
Welcome to React Day Berlin. Today I'll be talking about how to improve web application security using Mozilla Observatory. It evaluates security headers and ranking. Let's go to the Mozilla Observatory and see how it looks. You can skip publishing results and force a rescan. It gives the Dplus score and assesses security headers. It maintains grade history. Content security policy allows fine-grained control over loaded resources. It prevents cross-site scripting vulnerabilities. Be careful when implementing it in existing websites. Start with the content security policy report only. Cookies are also important.
Today I'll be talking about how to improve your web application security using Mozilla Observatory. Mozilla Observatory is a tool where you can use to evaluate your web application security headers and evaluate the security ranking of your websites. So here you can see all the security headers that Mozilla Observatory measures for your application and gives the score.
So let's go to the Mozilla Observatory and see how it looks like. So this is the site here, there are three options here. You can see, you can choose to skip publishing your results in the public records of Mozilla. Mozilla actually caches your scanned results. So if you want to force a rescan, you can click this checkbox. And if you don't want to run any third-party scanners, you can select this one. Let's enter my domain and see what the result gives us. So here you can see it will run the HTTP Observatory and it gives me the Dplus score. And here are all the security headers that it has assessed. And you can see the pass and failure status and score of each of the security header. And the reason behind a particular score is also displayed here as well. It also maintains the grade history. So whenever you make any improvements to your website and rescan the score, then you will be able to see the improved score of your website.
2. Securing Cookies and Redirection
It should be secured using secure flag and sent over HTTPS only. Define minimum expiration period for session identifier cookies. Configure server properly for close origin requests. Enable HTTP to HTTPS redirection.
You need to define the expiration period as well. It should be as minimum as possible. In particular, session identifier that we store in cookies should expire very quickly whenever they are no longer needed.
We can use the same set of cookies as well to block the cookies from being sent to any close origin requests. If you're a front-end developer, you must have come across course errors, so it's very important to configure your server very properly for any close origin request. It shouldn't be allowing any other domains that doesn't need that particular resources, so it should be configured properly. It shouldn't be allowing any wildcard patterns access as well.
HSTCS commonly known as HTTP strict transport security tells the browser to load the resources via HTTPS only, and redirection is also very important. You need to enable the HTTP to HTTPS redirection in your web application.
3. Referrer Headers and Sub-resource Integrity
Another important point is referred policy, so whenever you visit any resource from your application, browser will send the referrer to the web server from where the request got originated. So that may be useful for some cases, but it can lead to privacy risk as well. So to control that, you can use the referrer headers in your application.
There are a few directives that you can use. The first one is no-referrer directive, which will remove the referrer from all your requests being sent to any resource. Same origin will send entire URL, but only for the same origin request. And strict origin, what it will do is it will send the origin header, but it will just send the host part. It will strip off the actual part of the page from where you requested the resource. And the recommended one is the strict origin when cross origin. So it will send the full referrer on the same origin, but a stripped version of the origin when you're making cross origin request.