Tag Archives: webapps security

How to fix Web Performance issues?

This post will give your a list of actions and quick guide how to optimize your website and increase performance significantly. following guidelines are:

  • Reduce required requests: Less number of http requests means less overhead on the page.
  • Use css for your main images: CSS Sprites is wonderful solution for merging icons and lots of small images into one. This reduce number of http requests in every page of the website.
  • Use a faster web server: Apache is standard solution however, there are solution which provides better speed. Look for more details.
  • Implement caching: It’s common to implement caching however, you should look for caching at multiple layers. Web-server caching, CDN caching and end user browser caching. All of them gives extra mileage in performance.
  • Enable compression: Compression(GZIP) is common and must be implemented in every content transfer happens from client to server. Read about it in below articles.
  • Eliminate plugins: Use standard libraries and try to avoid building wheel for any new problem. Libraries help in providing optimized solutions. Just look for security before using it though.
  • Use a top tier host
  • Use a content delivery network: CDN is good at serving static content and improves overall performance of the application. you must implement it.
  • Employ anycast dns: Anycast is CDN of DNS. It means all DNS resolution happens very quickly and available any cast DNS server helps resolve DNS queries quickly.

Read more in following documents.






What is CORS?

The first step in understanding CORS is knowing how some security features of web browsers work. By default, web browsers do not allow AJAX requests to servers other than the site you’re visiting. This is called the same-origin policy and it’s an important part of the web security model. In fact, the same-origin policy is deployed to over a billion devices all over the world and has proven to have a solid track record in terms of exploitation.

A Security Risk

Now imagine your mail-sending API is in api.yourwebsite.com. This is where it gets a little trickier because the same-origin policy will block the AJAX request. You want to enable AJAX requests from yourwebsite.com and one way to do that is using CORS.

In your mail-sending API, api.yourwebsite.com, you decided to let everyone access your API instead of only yourwebsite.com. Is this harmful?

Well, it depends on how you implemented the authentication for mail sending. If you are using authentication based on session cookies, you probably shouldn’t allow CORS requests by everyone. A malicious website can issue e-mail sending requests to api.yoursebsite.com via an AJAX request without the specific permission of your user.

If the user has valid session cookies in their browser, they will be used to authenticate on api.yoursebsite.com and that would lead to unwanted e-mail sending.



Good Read: MIME Sniffing in Browsers and the Security Implications

Whenever a website in opened in a browser, there are many tasks that are being silently performed in the background. One of those tasks is fetching resources such as images, stylesheets and JavaScript from different domains on the internet and then parsing those resources.

For example, a browser fetches an image from remote server and renders it for display when it encounters an <img> tag with src attribute in an HTML document. Browsers handle these resources based on their MIME type, and a browser’s behavior can be guided by the X-Content-Type-Options HTTP header returned by the web server.

In this post, we are going to look at security risks for an application that does not make use of this header. Specifically, we will look at the conditions under which exploitable vulnerabilities arise.

MIME Sniffing Introduction

MIME stands for “Multipurpose Internet Mail Extensions.” MIME was originally defined to support non-ASCII text and non-text binaries in email. However, the content types defined in MIME standard are used in HTTP protocol to define the type of content in a request or response. 

A browser usually identifies a resource’s MIME type by observing the Content-Type response header in an HTTP response. 

Figure 1:Content-Type response header for an HTML page from google.com

Sometimes, developers set values for Content-Type headers that are not appropriate for the response’s content. For example, if a server sends text/plain value for a JavaScript resource, it is a mismatch. As per web standards, text/plain is not a valid JavaScript MIME type. However, browsers may parse and render such misrepresented resources so that the website will operate as intended. This is where MIME sniffing comes into picture. An example has been given in Figure 2.  

Figure 2: A JavaScript resource served with incorrect Content-Type value

 “MIME sniffing” can be broadly defined as the practice adopted by browsers to determine the effective MIME type of a web resource by examining the content of the response instead of relying on the Content-Type header. MIME sniffing is performed only under specific conditions. Please note that MIME sniffing algorithms vary by browser. A MIME sniffing standard has been defined on the Web Hypertext Application Technology Working Group (WHATWG) website. 



Web Security: Chrome cookies & security updates.

Google to kill third-party Chrome cookies in two years

Google doesn’t want to block third-party cookies in Chrome right now. It has promised to make them obsolete later, though. Wait – what?

The search engine giant gave us the latest update this week in the journey towards what it says will be a more private, equitable web. It announced this initiative, known as the Privacy Sandbox, in August 2019. It wants to make the web more private for users, it said.

The discussion about online ads and privacy revolves around cookies because they’re what support many predatory advertising models today. It works like this: you visit a website and it puts a small file on your hard drive. This cookie contains information about the session – when you visited, what you looked at, what IP address you came from, and so on.

Some companies use these purely to remember you when you go back so that you don’t have to sign in again. Those are first-party cookies, and they’re a great way to make the web more convenient.

Google Chrome to start blocking downloads served via HTTP

Google has announced a timetable for phasing out insecure file downloads in the Chrome browser, starting with desktop version 81 due out next month. Known in jargon as ‘mixed content downloads’, these are files such as software executables, documents and media files offered from secure HTTPS websites over insecure HTTP connections.

This is a worry because a user seeing the HTTPS padlock on a site visited using Chrome might assume that any downloads it offers are also secure (HTTP sites offering downloads are already marked ‘not secure’). Read more in


How to secure your web content?

In any web application security, apart from user information security like user credentials, personal information and payment details etc. It must very important to take care user content whether it is user specific personalized sensitive content or content which is being shared with third-party services.

Following are the must-read articles to put some level of security in web content:

Properly configuring server MIME types

There are several ways incorrect MIME types can cause potential security problems with your site. This article explains some of those and shows how to configure your server to serve files with the correct MIME types.

HTTP Strict Transport Security

The Strict-Transport-Security:HTTP header lets a website specify that it may only be accessed using HTTPS.

HTTP access control

The Cross-Origin Resource Sharing standard provides a way to specify what content may be loaded from other domains. You can use this to prevent your site from being used improperly; in addition, you can use it to establish resources that other sites are expressly permitted to use.

Content Security Policy

An added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. Code is executed by the victims and lets the attackers bypass access controls and impersonate users. According to the Open Web Application Security Project, XSS was the seventh most common Web app vulnerability in 2017.

The X-Frame-Options response header

The X-Frame-Options: HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Securing Your Site using Htaccess

It is the best way to secure your site using the .htaccess file. You can blacklist IPs, restrict access to certain areas of website, protect different files, protect against image hotlinking, and a lot more.