Introduction

Before we move on, we need to lay some ground rules which stand for good housekeeping in my opinion but one could even argue these things are required in 2021.

Use TLS

How often have you been surfing the web these days and not seen that green lock in the URL bar? I bet you it's not often and when it happened it was on a very static website.

These days it's an absolute no-go to use HTTP, FTP, ... when we have secure options easily available. For example:

https://letsencrypt.org/

This is a very easy-to-use website that can easily help you put that secure lock on your website. The best part? It's free!

The same goes for FTP of course, we can keep using FTP but there should be a good reason when SFTP exists if it pertains to sensitive data.

https://qiita.com/alokrawat050/items/709d3c777407ab658aa9

Cookies

These days we have several flags that we can set on cookies which we should use if we can.

• HttpOnly: This cookie can not be read or set by the javascript code. This can protect an application against XSS attacks but only by not allowing the attacker to not steal that specific cookie. Remember to enable this on ALL sensitive cookies.
• Session: This cookie is only valid for the current session and will be destroyed afterwards. Useful if you want cookies to be sensitive to the session context and nothing else. (i.e. when the user is logged in)
• Secure: If this flag is set, the cookie will never be sent in any requests that is not TLS-based. (HTTPS)
• HostOnly: This flag makes it impossible for cookies to be read from other domains INCLUDING other subdomains. Cookie "a" will be available on hackxpert.com but not mail.hackxpert.com

Test every single piece of user input

It may seem obvious at first but everything the users can control needs to be rigorously tested. We can not trust it to any degree and especially if your application is public facing. You'd be surprised how hackers can find an entry point. I filtered every single piece of input from my application one time ... yet they found a way because the id of my object was also reflected in the page in a hidden input field and they managed to abuse the one thing I never expected users to control.

This means:

• Hidden inputs