Tag Archives: security

It is just HTTPS now

The Blog is HTTPS onlyThe recent events of security problems with WordPress motivated us to speed up the effort to move our blog into the HTTPS only mode. This does not fix WordPress security problems, but makes it easier to spot possible problems later and might protect us against the negative outcome from time to time.

So we set the Strict-Transport-Security header to tell the browser that HTTP is off-limits for this site once and for all. We also turned all links to our blog from our website and internally in the blog including resources into HTTPS links.

Also we set .htaccess redirect rules to force all users to use HTTPS and only hit the domain that has the proper certificate.

The only thing open is to get our hoster convinced to properly support TLS 1.2.

Read that: Web Application Security Guidelines

This is a nice summary of web application security related technologies, processes, and development patterns: Design Guidelines for Secure Web Applications. A little .NET heavy, but most stuff is generally applicable.

If you read and like the above information, you should not miss the OWASP web security guidelines. This is a must read for every tester and developer. OWASP Guide Project:

Web application security is an essential component of any successful project, whether open source PHP applications, web services such as straight through processing, or proprietary business web sites. Hosters (rightly) shun insecure code, and users shun insecure services that lead to fraud. The aim of this Development Guide is to allow businesses, developers, designers and solution architects to produce secure web applications. If done from the earliest stages, secure applications cost about the same to develop as insecure applications, but are far more cost effective in the long run.

Unlike other forms of security (such as firewalls and secure lockdowns), web applications have the ability to make a skilled attacker rich, or make the life of a victim a complete misery. At this highest level of the OSI software map, traditional firewalls and other controls simply do not help. The application itself must be self-defending. The Development Guide can help you get there. The Development Guide has been written to cover all forms of web application security issues, from old hoary chestnuts such as SQL Injection, through modern concerns such as AJAX, phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues…