13 Protecting your application against external attacks

 

This chapter covers

  • Configuring your application for HTTPS
  • Ensuring you apply good access control
  • Avoiding common cryptographic failures
  • Preventing injection attacks

Once your application is published, it will come under attack. Most of these attacks will be automated, probing for well-known vulnerabilities. You will probably be surprised to see requests being logged for URLs that include phpmyadmin, or the names of popular third-party component libraries you don’t even use. The HTTPS protocol underpins the security of any website. We will begin this chapter with a reminder of the importance of HTTPS and learning how to configure your application to use HTTPS.

Then we will look at the threats posed to your application in more detail, focusing on the most common of these according to the Open Web Application Security Project (OWASP) (https://owasp.org/). You will learn how the Razor Pages framework has been designed specifically to protect you from various threats and how to maintain security should you find the need to bypass these safeguards.

The OWASP categorizes vulnerabilities under a number of headings. We will look at some of the specific threats under the top three headings:

  • Broken access control
  • Cryptographic failures
  • Injection attacks

13.1 HTTPS

13.1.1 SSL/TLS certificates

13.1.2 Using HTTPS in development

13.1.3 Including HSTS in production

13.2 Broken access control

13.2.1 Incorrect security policies

13.2.2 Cross-site request forgery

13.3 Cryptographic failures