Unit-5

Web Security: Protecting Applications and Users

Web security involves protecting web applications from various cyberattacks that could
compromise data, functionality, or user privacy.

 Common Security Threats:

o XSS (Cross-Site Scripting):

 Description: An injection attack where malicious scripts are injected

into otherwise trusted websites. When a user visits the compromised
site, their browser executes the malicious script, which can then steal
session cookies, deface websites, redirect users, or perform other
malicious actions on behalf of the user.
 Types: Reflected XSS (from user input in URL), Stored XSS (from
user input saved in database), DOM-based XSS (client-side
manipulation).
 Prevention: Input validation (sanitizing user input), output encoding
(escaping data before rendering it in HTML), Content Security Policy
(CSP).

o CSRF (Cross-Site Request Forgery):

 Description: An attack that tricks a victim into unknowingly

submitting a malicious request to a web application in which they are
authenticated. The attack leverages the fact that browsers automatically
send cookies (including session cookies) with requests to a site.
 Prevention: CSRF tokens (random, unique tokens included in
forms/requests and verified on the server), SameSite cookies, referrer
header checking.

o SQL Injection: Injecting malicious SQL code into input fields to manipulate
database queries, potentially leading to unauthorized access, data theft, or data
corruption.
 Prevention: Prepared statements with parameterized queries, input
validation, least privilege for database users.
 o Broken Authentication and Session Management: Vulnerabilities related to
improperly implemented authentication or session handling, allowing attackers
to compromise user accounts or sessions.
 Prevention: Strong password policies, multi-factor authentication
(MFA), secure session management (e.g., using secure, HttpOnly
cookies, regenerating session IDs).

o Insecure Direct Object References (IDOR): When an application exposes a

direct reference to an internal implementation object (like a file path or
database key), allowing attackers to manipulate these references to access
unauthorized resources.
 Prevention: Implement proper authorization checks for every resource
access, use indirect references (e.g., GUIDs) instead of direct database
IDs.

o Security Misconfigurations: Default configurations, incomplete

configurations, open cloud storage, or unpatched servers.
 Prevention: Regular security audits, strong configuration
management, patching and updating software regularly, removing
unused features.

 Authentication and Authorization:

o Authentication: The process of verifying the identity of a user or system. It
answers the question: "Who are you?"
 Methods: Passwords (often hashed and salted), multi-factor
authentication (MFA - e.g., password + SMS code), OAuth (delegated
authorization), OpenID Connect (identity layer on OAuth 2.0).
 Common Implementations: Session-based authentication (server
stores session data, client gets a session ID cookie), Token-based
authentication (client receives a cryptographically signed token like
JWT - JSON Web Token).

o Authorization: The process of determining what an authenticated user is

permitted to do. It answers the question: "What are you allowed to do?"
 Methods: Role-Based Access Control (RBAC - users assigned roles,
roles have permissions), Attribute-Based Access Control (ABAC -
permissions based on user/resource attributes), Access Control Lists
(ACLs).
  HTTPS and SSL/TLS:
o HTTPS (Hypertext Transfer Protocol Secure): The secure version of
HTTP. It encrypts the communication between a client (browser) and a server,
protecting data from eavesdropping, tampering, and forgery.

o SSL/TLS (Secure Sockets Layer/Transport Layer Security):

Cryptographic protocols that provide secure communication over a computer
network. TLS is the successor to SSL.
 How it works: When a browser connects to an HTTPS website, the
server presents an SSL/TLS certificate. The browser verifies this
certificate with a trusted Certificate Authority (CA). If valid, a secure,
encrypted connection is established using public-key cryptography and
then symmetric-key encryption for the actual data transfer.

o Benefits: Data confidentiality, data integrity, authentication of the server,

improved SEO ranking (Google favors HTTPS sites).
o Implementation: Obtain an SSL/TLS certificate from a CA (e.g., Let's
Encrypt for free), configure the web server (e.g., Nginx, Apache) to use the
certificate.

Web Performance Optimization: Speeding Up Applications

Web performance optimization (WPO) is the process of improving how quickly web pages
load and respond to user interactions. Faster websites lead to better user experience, higher
conversion rates, and improved search engine rankings.

 Minification and Compression

o Minification: The process of removing unnecessary characters (like

whitespace, comments, new lines) from source code (HTML, CSS, JavaScript)
without changing its functionality. This reduces file size.

o Compression: Using algorithms (e.g., Gzip, Brotli) to reduce the size of files
before they are sent over the network. The browser then decompresses them.

o Benefits: Faster download times, reduced bandwidth usage, quicker parsing

and execution by the browser.

o Implementation: Build tools (Webpack, Rollup), server-side configuration

(e.g., Nginx gzip module).
 Caching Strategies: Caching involves storing copies of frequently accessed data in a
temporary storage location so that future requests for that data can be served faster.

o Browser Caching (Client-Side Caching): The browser stores static assets

(images, CSS, JS) locally based on HTTP headers (e.g., Cache-Control,
Expires, ETag, Last-Modified). Subsequent visits load these assets from the
local cache

o Server-Side Caching:
 Application Caching: Storing results of expensive computations or
database queries in memory (e.g., Redis, Memcached).
 Database Caching: Databases often have their own internal caching
mechanisms for frequently accessed data.
 CDN Caching: CDNs cache content at edge locations closer to users.
o Benefits: Reduces server load, speeds up page load times, minimizes network
traffic.
o Strategies: Proper Cache-Control headers, versioning assets (e.g., style.css?
v=1.2.3 or style.123abc.css), invalidation strategies.

 Load Balancing and Content Delivery Networks (CDNs):

o Load Balancing: Distributing incoming network traffic across multiple

servers to ensure no single server is overloaded. This improves
responsiveness, availability, and reliability.
 Methods: Round robin, least connections, IP hash.
 Benefits: High availability, increased scalability, improved fault
tolerance.

o Content Delivery Networks (CDNs): A geographically distributed network

of proxy servers and their data centers. When a user requests content, the CDN
serves it from the "edge server" closest to them, rather than the origin server.
 How it works: Copies of static assets (images, videos, CSS, JS) are
stored on CDN servers worldwide. When a user requests content, the
CDN directs them to the nearest server.
 Benefits: Reduced latency, faster page load times, reduced load on
origin servers, improved scalability, DDoS protection.
 Examples: Cloudflare, Akamai, Amazon CloudFront, Google Cloud
CDN.