DEV Community

Cover image for Web security knowledge you must understand it (Part I: HTTPS, TLS, SSL, CORS, CSP)

Web security knowledge you must understand it (Part I: HTTPS, TLS, SSL, CORS, CSP)

Ahmed Atef on September 22, 2020

What is Web Security? The web is not safe for every user, Daily we hear about websites becoming unavailable because of denial of service...
Collapse
 
aghost7 profile image
Jonathan Boudreau

I don't think its necessary to know about CSP or CORS. You can build a perfectly secure website without any knowledge of these things; most websites I've worked on don't use these security hardening features.

One thing potentially worth mentioning is HSTS which can prevent downgrade attacks.

Collapse
 
aurelio profile image
Aurelio • Edited

I disagree.

The fact that CSP is not widely use is a signal that developers - especially frontend devs - should be more educated on security topics.
Without a good Content Security Policy how confident are you that your customers are safe against XSS? For instance, how do you ensure that one of your users doesn't have a browser extension that logs their credentials as they type to a malicious server?

I suggest this article or this other (don't miss the video) from Troy Hunt.

CSP may not be the only option to counter these attacks, but one has to be aware of the risks that can originate from the client-side of our applications and websites.

Collapse
 
ahmedatefae profile image
Ahmed Atef

I agree with you πŸ‘Œ

Collapse
 
aghost7 profile image
Jonathan Boudreau

In practice, it isn't easy to implement CSP when libraries come into play. It is nice to add for hardening, but it isn't necessary, and should not be considered a primary form of defence against XSS.

Thread Thread
 
aurelio profile image
Aurelio

Nothing about security is easy and the fact that one method is not easy to implement doesn't make it less valuable.

Also, you can always set the CSP as report-only if you're (correctly) worried about potentially breaking stuff. Implementing a good policy slowly over months is better than never doing it at all.

But anyway, if other methods are preferable in your view it's more constructive to explicitly say which ones, so people reading the comments can actually get value out of the discussion.

Cheers!

Thread Thread
 
aghost7 profile image
Jonathan Boudreau • Edited

I consider CSP to be an advanced topic because it is a additional defence against XSS. I do not consider it a "must know". What I consider essential knowledge is how to reason about trusted and untrusted inputs, making sure to sanitize if your framework or library doesn't already do it.

Also, you can always set the CSP as report-only

Again, I don't consider this a "must know". I mean, its cool and all but I don't consider auditing something everyone should know about. I'd much rather have people know about ways you can actually completely shoot yourself in the foot than know about CSP.

Thread Thread
 
aurelio profile image
Aurelio

Surely, although for me they really are different methods solving different but equally serious problems. But this is now more a personal opinion about what is and what is not a must know, so less valuable/interesting.

Thanks for keeping up the thread and replying with an informed opinion and a link to a reputable site.
I really appreciate it πŸ‘πŸ‘πŸ‘

Collapse
 
tejaswipandava profile image
tejaswipandava

CORS is pretty important. one instance, we developed a web API, and a client both worked well in local but when moved to stagging env the app was not working reason CORS.

With the modern web, it really became a staple to consume resources from different origins, and understanding why the same-origin policy was introduced makes more sense

Collapse
 
ahmedatefae profile image
Ahmed Atef

Yes, HSTS is useful to understand, I will add it in one of the following articles, but for CSP and CORS it is useful to understand them to increase your knowledge of web security and this knowledge what makes the differences between web developers.

Collapse
 
rockykev profile image
Info Comment hidden by post author - thread only accessible via permalink
Rocky Kev

A bunch of things I did not know. Thank you!

I noticed there was a huge sentence fragment here this chunk of your blog post:

What is the difference between TLS and SSL?
SSL is the older version of the TSL, the name changed after the Internet Engineering Task Force (IETF) be the owner after Netscape and some developer nowadays use the SSL and TLS to referring for the same thing.

The Big different is since 1996 SSL not have any new update and this makes it very vulnerability to hacker attacks and all modern browsers no longer support it.
Enter fullscreen mode Exit fullscreen mode
Collapse
 
ahmedatefae profile image
Ahmed Atef

I appreciate your help to improve this article, I will edit it now, thanks a lot

Collapse
 
bassochette profile image
Julien Prugne

Cors is a browser enforced policy.
The server provide the the header during the preflight request made through an OPTION call.
The server does not send any error.

Collapse
 
ahmedatefae profile image
Ahmed Atef

thanks for this information, i will update it and if there other informations in this Topic provide it to us

Collapse
 
titanhero profile image
Lex

Cool, very useful info, animus...πŸ˜πŸ‘βœŒοΈ

Collapse
 
ahmedatefae profile image
Ahmed Atef

happy to help🀝

Collapse
 
detinsley1s profile image
Daniel Tinsley

I have some feedback. I noticed that you weren't consistent with the acronym for Transport Layer Security. In some places, you wrote TLS, which is correct, while in others you wrote TSL, which is incorrect. You should go back through your article and change any instance of TSL to TLS to make it correct. Thank you.

Collapse
 
ahmedatefae profile image
Ahmed Atef

Thank you for yor note πŸ‘Œ

Collapse
 
ziizium profile image
Info Comment hidden by post author - thread only accessible via permalink
Habdul Hazeez

Please, take note of the following (among others):

  • There is an error in the link of the Image source (check the first four images).
  • There is possible typographical error under "CSP": > Cross-Site Scripting (XSS): it a vulnerability that allows the hacker to inject a militias code

All in all, please review the article for possible grammar mistakes.

Collapse
 
keefdrive profile image
Keerthi

nice researched article

Collapse
 
ahmedatefae profile image
Ahmed Atef

Thank you

Collapse
 
_gasha profile image
Info Comment hidden by post author - thread only accessible via permalink
Gasha

Nice text, but please run a spellchecker before publishing

Collapse
 
ahmedatefae profile image
Ahmed Atef

I will, thanks for the note

Collapse
 
prkkhan786 profile image
prkkhan786

So usefull information

Collapse
 
ahmedatefae profile image
Ahmed Atef

I am grateful for your review

Collapse
 
lithqube profile image
Cristhian Ferrufino

Great info, thanks!

Collapse
 
ahmedatefae profile image
Ahmed Atef

it's my pleasure to help you

Collapse
 
llampwall profile image
Info Comment hidden by post author - thread only accessible via permalink
Jordan Hewitt

There is some good information here, but surely you could get an English speaker to proofread / edit your copy. Reading this is pretty bad.

Collapse
 
ahmedatefae profile image
Ahmed Atef • Edited

I Certain all the information here is very clear, and if you find any sentence difficult to understand or read, show me its place and I will try to improve it to be better. Finally, thank you for your note.

Collapse
 
llampwall profile image
Jordan Hewitt • Edited

There are a ton of grammatical errors and word omissions. It’s missing a lot of articles, transitive verbs, and correct verb conjugations. I can extract the general information for the most part, but no, it is not very clear, and it is very jarring to read. Essentially every sentence needs to be read twice. Simply having an English speaker rewrite it would take your articles to another level and probably improve your English.

Thread Thread
 
ahmedatefae profile image
Info Comment hidden by post author - thread only accessible via permalink
Ahmed Atef

Ok.

Collapse
 
ganesh0479 profile image
Sivaganesh Panditi • Edited

Thank you for very good article...

Please publish the second part... If it is published already.... Could you please share the URL here

Collapse
 
davidyaonz profile image
David Yao

hi, thanks for the article. Found a typo 'It contains very import information about the owner' => 'It contains very important information about the owner'. thanks

Collapse
 
ahmedatefae profile image
Ahmed Atef

Thanks for the note πŸ‘Œ

Some comments have been hidden by the post's author - find out more