This series, and my blog, have moved! !
Browser and client-side hardening focuses on enabling and using the security features within a user’s browser. The following settings protect the users of your web applications from their side (client-side/browser), rather than the server-side (the application itself), as with most application security advice.
Disabling ‘Remember Me’ Features
While I believe that all applications should allow for users to “paste” values into the password field (to allow for the use of password managers), I do not believe that applications should allow browsers to store passwords using the “remember me” feature. I may be forced to eat my words at some point, but until the security of browsers improves, it is my opinion that all passwords should be stored in a password manager.
Do Not Allow Caching of Sensitive Data
Another item for browser and client-side hardening is to disable caching for sensitive pages. In the past, I would have advised that if a page is delivered over HTTPS, that it must contain sensitive information, and therefore should not be cached. But now that things have changed, and quite frankly since Troy Hunt has opened my eyes, I believe that all pages of every web application should be delivered over HTTPS, that would prescribe that nothing should ever be cached. With that caveat, I would like to suggest that if a page of your application contains anything sensitive, you should not allow it to be cached. Pages that do not contain sensitive information may be cached for faster retrieval.
HTTPS Everywhere
HTTPS should be forced on the server AND from within the application. The newest version of TLS (Transport Layer Security) should always be supported, which as of this writing is TLS 1.2. Older versions of encryption that have known vulnerabilities should be disabled unless you have a clear business reason that has been evaluated against the risk of supporting backwards compatibility. As of this writing all versions of SSL (Secure Sockets Layer) and TLS 1.0 should be disabled on all servers.
Read the rest of this article on my NEW blog!!
Latest comments (0)