A few weeks ago I was doing some research into web application security to placate some security concerns a security audit raised. For the most part what I found was the typical advice
- Avoid SQL injection attacks by using parameterized queries
- Use low privilege accounts to run the web server and the database
- Donâ€™t connect to the SQL server with an account with permissions other than dbreader and dbwriter(or your databaseâ€™sÂ equivalent)
- Validate user input
- HTML encode any untrusted string(so pretty much everything)
- Avoid using dynamic SQL
OneÂ relativelyÂ new development I hadnâ€™t heard of was using a technique called Content Security Policy. To understand the purpose of CSP you first need to know a little bit about what comes down the line to you from the web server and how the browser handles it.
To get this working youâ€™re going to need to add 3 different headers to your site. This is because the various browsers have differing levels of support for CSP.
Content-Security-Policy: script-src 'self'
X-WebKit-CSP: script-src 'self'
X-Content-Security-Policy: script-src 'self'
The first line is the policy as defined by the W3 standard, it is supported only by chrome and even then only by version 25+. The second version works in older WebKit based browsers. The third is supported by FireFox and IE10+. The support for CSP across browsers is not fantastic. At the time of writing there is support for about 55% of users.
There are quite a few rules you can use in the CSP. The rules above require that all your scripts come from your domain. If you make use of a CDN then you can add it to the end of the rules
Content-Security-Policy: script-src 'self' https://youcdn.com
X-WebKit-CSP: script-src 'self' https://yourcdn.com
X-Content-Security-Policy: script-src 'self' https://yourcdn.com```
You can also set the default so that all resources (scripts, style, images, flash, frames, fonts) are restricted to your server.
Content-Security-Policy: default-src 'self' https://youcdn.com
X-WebKit-CSP: default-src 'self' https://yourcdn.com
X-Content-Security-Policy: default-src 'self' https://yourcdn.com```