Hardening web apps: 1. Introduction

It's okay. Exposing your latest web app implementation on the big bad internet should leave you somewhat anxious. While browsers have grown up to be more secure lately we are still a long way from secure-by-default, and the list of possible attack vectors against web apps is long enough to give Chuck Norris the shivers.

Every month Microsoft release critical patches against remote code execution exploits. Numerous implementations of SSL encryption are deemed unsafe because of renowned attacks like Heartbleed, Poodle and Drown. And even with infrastructure in perfect place, you have to design your application very carefully to keep it from exposing data to malicious sites.

In this blog series I will explain the most common threats and a provide practical guidance on how to block them in a modern web app (*) hosted on IIS in Azure. 

*) "Modern web app" being a single page app using  AngularJS with a REST Web API backend.

Posts in the series:

  1. Introduction (this post)
  2. Architecture and infrastructure
  3. Authentication and authorization
  4. Browser cross site attacks
  5. Reactive security and monitoring
  6. Operations practices and conclusion

Read the next post in the blog series about designing the infrastructure.

Google
m@kli.dk @klinkby RSS feed  GitHub