Client Side Best Practices
Client Side Best Practices
This requires front-end developers to focus more on security. In this article I will show you how to make
your apps more secure. I will focus on techniques that you may not have heard about, instead of just telling
you that you have to escape HTML data entered in by users.
When you use SSL, all of the data is encrypted before it's sent, so even if the attacker gets it, he would not
be able to modify or capture it. This is by far the most important step in securing your app.
It's called Content Security Policy. It allows you to define the origin of all scripts, images etc. on your site. It
also blocks all inline scripts and styles, so even if someone can inject a script tag into a comment or post, the
code would not be executed. The CSP is an HTTP header (which can also be set using HTML <meta> tag),
which looks like this:
1 Content-Security-Policy: policy
Where policy is a set of CSP directives. Here are the possible options:
If a directive is not set, the browser assumes that all origins are allowed. This can be changed by setting
the default-src option. What you set there will be applied to all unset directives. There is also
a sandbox option, which makes the webpage load as an iframe with the sandbox attribute. An example
usage of the CSP header would look like this:
Drawbacks
The thing to remember when using CSP is that, by default, all inline JavaScript will not be executed. This
also includes:
This is because the browser cannot distinguish your inline code from the hacker's inline code. You will have
to replace them by adding event listeners with addEventListener or some framework's equivalent. This is
not a bad thing ultimately, as it forces you to separate your application's logic from its graphical
representation which you should be doing anyway. CSP also (by default) blocks all eval() -ish code,
including strings in setInterval / setTimeout and code like new Function('return false') .
Availability
CSP is available in most of the modern browsers. Firefox, Chrome and Opera (mobile too) use the
standard Content-Security-Policy header. Safari (iOS too) and Chrome for Android use the X-
WebKit-CSP header. IE10 (with support limited only to the sandbox directive) uses X-Content-
Security-Policy . So, thanks to Internet Explorer, you can't just use only CSP (unless you will use
something like Google Chrome Frame), but you can still use it to improve the security on the real browsers
and to prepare your app for the future.
1 function parseData(data) {
2 ...
3 }
1 <script src="http://someserver.com/data?format=jsonp&callback=parseData"></script>
But by doing this, you are creating a big security risk. If the server that you are getting data from is
compromised, a hacker can add his malicious code and for example, steal your user's private data, because
actually, you are getting JavaScript using this request - and the browser will run all of the code just like with
a normal script file.
The solution here is Cross Origin Resource Sharing. It allows your data provider to add a special header in
responses so that you can use XHR to retrieve that data, then parse and verify it. This removes the risk of
getting malicious code executed on your site.
The implementation requires the provider only to add the following special header in responses:
1 Access-Control-Allow-Origin: allowed origins
This can be just a few allowed origins separated with spaces, or a wildcard character: * to let every origin
request the data.
Availability
All current versions of modern browsers support CORS, with the exception of Opera Mini.
Of course, the bigger problem here is that service providers would have to add CORS support, so it's not
completely dependent on the developer.
allow-same-origin - the frame will have the same origin as the site, instead of the unique one
allow-scripts - the frame will be allowed to execute JavaScript
allow-forms - the frame will be able to submit forms
allow-pointer-lock - the frame will have access to the Pointer Lock API
allow-popups - the frame will be allowed to show pop-ups
allow-top-navigation - the frame will be able to navigate the window
Availability
The sandbox iframe attribute is supported in all modern browsers, with the exception of Opera Mini.
Conclusion
So that's it. I hope you've learned some new techniques that you can use in your future projects to protect
your applications. Thanks to HTML5, we can now do amazing things with our websites, but we have to
think about security from the first line of code if we want them to be resistant against attacks.