This document outlines security guidelines for secure web development. It discusses best practices for input/output encoding, input validation, cache control, usage of tokens, proper session management, database security, file upload security, human/robot identification, security configuration, transport layer protection, user authorization, password policy, disabling HTTP TRACE methods, iframe security, and setting secure flags for cookies. Implementing these guidelines helps secure a web application from common vulnerabilities.

1. Security Guidelines for
Secure Web Development
Kumar Gaurav
k10gaurav@gmail.com

2. Agenda
 Input/output Encoding
 Input Validation
 Cache Control
 Usage of Tokens
 Proper Session Management
 Database Level Security
 File Upload Security
 Human/Robot Identification

3. Agenda
 Security Configuration
 Transport Layer Protection
 User Authorization and Access Period
 Password Policy
 HTTP TRACE Methods
 Iframe Security
 Cookies Security

4. Input/output Encoding
 It is recommended to encode output based on input parameters and
encode data that is received as input when you write it out as HTML.
 This technique is effective on data that was not validated for some reason
during input.
 By using techniques such as URL Encode and HTML Encode, you can
prevent malicious script from executing.
 Input should be validated as strictly as possible on arrival, given the kind of
content which it is expected to contain.
 All HTML Meta characters, including <> " ' and =, should be replaced with
the corresponding HTML entities (&lt; &gt; etc).

5. Input Validation
 The application should strictly validate all user inputs at the server level and
display customized error.
 All user input and output should be checked to ensure it is both
appropriate and expected.
 Input validation should be done on the client-side as well as on the server-
side because a secure web application can’t rely on client side validation.

6. Cache Control
 It is recommended to use all cache control tags.
 Improper cache control may lead an attacker to gain access the
authenticated page of another user from the history of the browser.
 Logging out from an application obviously does not clear the browser
cache of any sensitive information that might have been stored.

7. Usage of Tokens
 Attackers can create forged HTTP requests and tricks a victim into
submitting them via images tags, XSS or numerous other technologies.
 It is recommended to include an unpredictable token in the body or URL
of each HTTP request especially when using forms or making asynchronous
request.
 Cross-site request forgery can be prevented using the security tokens.

8. Proper Session Management
 It is recommended that every page should have a logout link.
 Logout should destroy all server side session state and client side cookies.
 Attacker uses leaks or flaws in the authentication or session management
functions (e.g., exposed accounts, passwords, session IDs) to impersonate
users.

9. Database Level Security
 An attacker can steal data from the database by asking a series of True
and False questions through SQL statements.
 It is advised that Proper Authorization mechanism should be implemented
to restrict unauthorized users.
 The two recommended complementary and successful methods of
mitigating SQL Injection attacks:
 Parameterized queries using bound, typed parameters
 Careful use of parameterized stored procedures.

10. File Upload Security
 An attacker can upload malicious files which may lead to Remote Code
Execution and the total defacement of the Web Application.
 It is recommended to restrict file types accepted for upload: check the file
extension and only allow certain files to be uploaded.
 Use a white list approach instead of a blacklist.
 Change the permissions on the upload folder so the files within it are not
executable. If possible, rename the files that are uploaded.

11. Human/Robot Identification
 Attackers can consume web application resources to a point where other
legitimate users can no longer access or use the application.
 Attackers can also lock users out of their accounts or even cause the
entire application to fail. Even attacker can make the server unavailable.
 It is recommended to implement CAPTCHA's in the Form for carrying out
transactions.

12. Security Configuration
 It is recommended to disable or limit detailed error handling.
 In particular, don’t displays debug information to end users.
 The error messages should not contain any relative or absolute file path .
 Direct access to any physical directories that contains image/ JavaScript/
media should not be allowed to list respective directory contents.

13. Transport Layer Protection
 It is recommended to deploy the web application on https to maintain the
confidentiality of user credentials and authentication token, to prevent
MiTM attacks.
 it provides a digitally signed certificate for website/web application
security from malicious attacks.
 This is subject to the business requirement of SSL (Secure Socket Layer)
deployments of respective application.

14. User Authorization and Access Period
 An attacker could perform malicious activity on behalf of a user without
his/her knowledge just by luring a victim to click on an evil page
containing invisible iframe of the victim domain.
 Apply a lockout period for respective user i.e. automatic logout for being
idle for a certain time period for logged in users and account to be locked
after certain login attempts.

15. Password Policy
 It is recommended to use a complex password so that it could not be
guessed easily. Also the password cracking algorithms like Brute force
attack could not crack the user password.
 Password should be at least 8 chars long containing at least 1 Uppercase,
1 Lowercase, 1 Number and 1 special character e.g. Rex@(4*91
 Also for forgot password feature, there should be a process where user
submit his/her email id and a link should be sent to respective email with
expiration period.

16. HTTP TRACE Methods
 TRACE method can bypass HTTP Only Protection on the cookie and an
attacker can steal cookies. It is recommended to disable all unnecessary
HTTP Methods on the Server side.

17. Iframe Security
 An attacker could perform malicious activity on behalf of a user without
his/her knowledge just by luring a victim to click on an evil page
containing invisible iframe of the victim domain. It is recommended to use
x-frame-options having the following two possible values:
 Same origin - The document will be rendered (shown) in a frame only if the
frame and its parent have the same origin.
 Deny - The document may not be rendered inside a frame.

18. Cookies Security
 The attacker can access the cookies in a non-encrypted method or
access the cookies via non HTTP methods like JavaScript or if the user has
not logged out of his account then the attacker may be able to access
the account.
 It is recommended to encrypt cookies and set HttpOnly attribute for them.
Also secure flag should be set for all cookies. This can be done on
application level and server level.

19. Is your web application secure?
Working in web doesn’t guarantee 100% security since the
web & malwares are expanding day by day but the
above guidelines will definitely help in securing your
application from most common security vulnerabilities.

20. Thank you!