Skip to content logo

Illustrated Notes

Defend Your Cookies with Essential Web Security Tactics

Published or updated on March 08, 2020

Between IoT botnet attacks, Bitcoin ransomware, and the weekly cadence of high-profile data breaches, doing anything on the internet feels like playing Russian Roulette.

And that's just for normal people using it.

If you're a developer, you're partially responsible for protecting all those normal people from the horrors of whatever LulzSec are up to right now.
The least you can do is make sure your website isn't an accessory to their nefarious activites.

Thankfully, you do not have to brave the black hat darkness alone.

Mike Sherov recently put out a course that covers all the Web Security Essentials you might need.

Course illustration of a web security tower and firewall protecting a browser window, and CCTV cameras attached to the sides

I am (thankfully) not responsible enough for anyone to put me in charge of security for an important website. But I was still curious.

I wanted to know what the current landscape of internet risk looks like. How, exactly, is LulzSec going to hack into my mainframe in 2020?

Here's my illustrated notes from Mike's course that should give you a big picture overview of what to should look out for.

Web security essentials - Let's look at three common attacks

Turns out there's a small set of fairly well-known and easy to defend attacks that we can protect ourselves from:

  • Man in the Middle (MITM)
  • Cross-Site Request Forgery (CSRF)
  • Cross-Site Scripting (XSS)

Shielding yourself from these three is a great starting point. It's at least enough to keep the script kiddies out.

First, man in the middle is a piece of software that intercepts data between a client and a server

If this connection is over HTTP all your data packets are readable cleartext. Anyone on the network can use a packet sniffer to see your data. Instead we use HTTPS to encrypt packets.

How to protect yourself. Use HSTS headers. Require HTTPS everywhere. Redirect HTTP to HTTPS

Cross-site request forgery is an attack that tricks the user into visiting a malicious site while they're already logged into a trusted site.

This is possible because browsers send cookies between sites by default. How to protect yourself. Cookies come with a 'sameSite' property that prevents them from being passed between sites. Set it to 'lax' or 'strict'

Cross-site scripting is an attack that injects malicious code into a trusted site. This can happen is the site allows user input to appear on the page without validating or encoding it. Protect yourself with a content security policy which manages which types of resources are allowed to load and where.

Keeping out this trio of attacks will go a long way.

If (unlike me) you are responsible enough to be in charge of security for a moderately-sized website, it might be worth double checking you have these protections in place.

Better safe than sorry. Especially when sorry means you end up on the front page of Hacker News in this week's edition of obviously preventable security breaches.

The Whole Illustrated Note

The fully illustrated notes on web security essentials

Want to learn more?

A high-res & printable version of the notes, plus the full course is avaliable here on the Web Security Essentials page.