This site runs best with JavaScript enabled.

Defend Your Cookies with Essential Web Security Tactics

Last tended on February 08, 2020
🌱 Evergreen


Between IoT botnet attacks, Bitcoin ransomware, and the weekly cadence of high-profile data breaches, doing anything on the internet feels like playing Russian Roulette.

And that's just for normal people using it.

If you're a developer, you're partially responsible for protecting all those normal people from the horrors of whatever LulzSec are up to right now. The least you can do is make sure your website isn't an accessory to their nefarious activities.

Thankfully, you do not have to brave the black hat darkness alone.

Mike Sherov made an egghead course that covers a whole series of web security essentials

Course illustration of objects in 3D space

I am (thankfully) not responsible enough for anyone to put me in charge of security for an important website. But I was still curious.

I wanted to know what the current landscape of internet risk looks like. How, exactly, is LulzSec going to hack into my mainframe in 2020?

Here's my illustrated notes from Mike's course that should give you a big picture overview of what to should look out for.

Web security essentials - Let's look at three common attacks

Turns out there's a small set of fairly well-known and easy to defend attacks that we can protect ourselves from:

  • Man in the Middle (MITM)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)

Shielding yourself from these three is a great starting point. It's at least enough to keep the script kiddies out.

First, man in the middle is a piece of software that intercepts data between a client and a serverIf this connection is over HTTP all your data packets are readable cleartext. Anyone on the network can use a packet sniffer to see your data. Instead we use HTTPS to encrypt packets.How to protect yourself. Use HSTS headers. Require HTTPS everywhere. Redirect HTTP to HTTPSCross-site request forgery is an attack that tricks the user into visiting a malicious site while they're already logged into a trusted siteThis is possible because browsers send cookies between sites by default. How to protect yourself. Cookies come with a 'sameSite' property that prevents them from being passed between sites. Set it to 'lax' or 'strict'Cross-site scripting is an attack that injects malicious code into a trusted site. This can happen is the site allows user input to appear on the page without validating or encoding it. Protect yourself with a content security policy which manages which types of resources are allowed to load and where

Keeping out this trio of attacks will go a long way.

If (unlike me) you are responsible enough to be in charge of security for a moderately-sized website, it might be worth double checking you have these protections in place.

Better safe than sorry. Especially when sorry means you end up on the front page of Hacker News in this week's edition of obviously preventable security breaches.


The fully illustrated notes on web security essentials

Want more illustrated notes on web development?

Take a look at Testing Apps with Cypress, The JAMStack, Gatsby & Contentful or A Fresh Serving of JavaScript ES2019

Want to share?

Join the newsletter

For weekly notes on visual thinking, ethical technology, and cultural anthropology.

Maggie Appleton © 2020