Security - Miscellaenous
// Security - Miscellaneous: OWASP: Open Web Application Security Project XSS: Cross Site Scripting CSRF: Cross Site Request Forgergy Push left. Focus on making security an integral part of your culture throughout your development organization. The use of static code analysis tools (FindBug, Snort, SONAR) is also recommended. The use of security scanner such as (ZAP, Chimera) is also recommended. When the user want to change his / her password, we should ask for the old password. This is to confirm that the password is not being automatically changed without the user's knowledge (such as via a XSS or CSRF attacks). Even though it is possible for us to configure the browser so that the user does not have to type the username and password in order to log into a web application (intranet) similar to how we typically configure our terminal to use passwordless ssh, it is still considered a good idea to consider using both a password and SSL client authentication combined. This is for the same reason why we require the user to enter the old password when the user want to change his password. 1. Make sure to use only HTTPS for calling out to all external endpoints that interact with your force.com application. This will help prevent against malicious network adversaries. HTTP does not provide any security guarantees and gives a network attacker the ability to intercept, modify or drop network traffic. 2. Embedding HTTP resources on an HTTPS page leads to Mixed Content vulnerabilities. A network attacker can now tamper with the HTTP resource and control what's loaded onto the page. 3. When using external resources as a part of your application, make sure to host them as a static resource instead of dynamically loading it when the page is loaded. This gives you control of what's loaded in the DOM at runtime. 4. Any cookies set by your application for authentication, authorization, or which contain private or personally identifiable information must set the Secure flag to ensure they are only sent over HTTPS. When the server sets cookies without the Secure attribute, the browser will send the cookie back to the server over either HTTP or HTTPS connections.
page revision: 2, last edited: 02 Jan 2017 03:50