5. Securing the Web

Syllabus Points Covered

Secure software architecture

Developing secure code

• Apply security features incorporated into software including data protection, security, privacy and regulatory compliance

  • encryption

  • input validation

  • secure defaults

• Design, develop and implement code using defensive data input handling practices, including input validation, sanitisation and error handling

• Design, develop and implement a safe application programming interface (API) to minimise software vulnerabilities

  • safe endpoints

  • request validation

  • authentication and authorisation

  • least privilege

  • rate limiting

  • data exposure

  • safe error responses

  • HTTPS for APIs

• Design, develop and implement code considering efficient execution for the user

  • memory management

  • exception management

• Design, develop and implement secure code to minimise vulnerabilities in user action controls

  • broken authentication and session management

  • cross-site scripting (XSS) and cross-site request forgery (CSRF)

  • invalid forwarding and redirecting

  • race conditions

• Design, develop and implement secure code to protect user file and hardware vulnerabilities from file attacks and side channel attacks

  • file attacks

  • side channel attacks

Programming for the web

Data transmission using the web

• Investigate and describe the function of web protocols and their ports

  • HTTPS

Chapter Contents

• 5.1. HTTPS
  • 5.1.1. Types of MITM Attacks
  • 5.1.2. HTTPS (Hypertext Transfer Protocol Secure)
  • 5.1.3. Did You Know?
  • 5.1.4. HTTPS Connections
  • 5.1.5. Glossary
• 5.2. HTTPS and Flask
  • 5.2.1. Flask-Talisman
  • 5.2.2. Glossary
  • 5.2.3. Setting up Flask-Talisman
• 5.3. SQL Injection
  • 5.3.1. Recommended Video
  • 5.3.2. Example
  • 5.3.3. Types of SQL Injections
  • 5.3.4. Deleting Data
  • 5.3.5. Blind SQL Injection
  • 5.3.6. Glossary
• 5.4. Parameterised Queries
  • 5.4.1. SQLAlchemy
  • 5.4.2. ORM
  • 5.4.3. Input Validation
  • 5.4.4. Glossary
• 5.5. Safe APIs
  • 5.5.1. Designing Safe Endpoints
  • 5.5.2. Validating API Requests
  • 5.5.3. Authentication and Authorisation
  • 5.5.4. Limiting Abuse
  • 5.5.5. Safe Error Responses
  • 5.5.6. Glossary
• 5.6. Cross-Site Scripting (XSS)
  • 5.6.1. Recommended Video
  • 5.6.2. How XSS Works
  • 5.6.3. Examples
  • 5.6.4. Preventing XSS
  • 5.6.5. Glossary
• 5.7. XSS and Flask Templates
• 5.8. Cross-Site Request Forgery (CSRF)
  • 5.8.1. Recommended Video
  • 5.8.2. How CSRF Works
  • 5.8.3. Example
  • 5.8.4. Preventing CSRF
  • 5.8.5. Glossary
• 5.9. Flask-WTF
  • 5.9.1. Configuration
  • 5.9.2. Defining Forms
  • 5.9.3. Rendering Forms into Templates
  • 5.9.4. Validating Forms
• 5.10. User Action Control Vulnerabilities
  • 5.10.1. Race Conditions
  • 5.10.2. Broken Authentication and Session Management
  • 5.10.3. Invalid Forwarding and Redirecting
  • 5.10.4. Glossary
• 5.11. File and Side-Channel Attacks
  • 5.11.1. File Attacks
  • 5.11.2. Path Traversal
  • 5.11.3. Side-Channel Attacks
  • 5.11.4. Glossary