Protecting web applications
Even when a web application only contains public information, there remains a need to protect the integrity and availability of the information processed by the web application and the system it is hosted on.
Web application frameworks
Web application frameworks can be leveraged by software developers to enhance the security of a web application while decreasing development time. These resources can assist software developers to securely implement complex components such as session management, input handling and cryptographic operations.
Security Control: 1239; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Robust web application frameworks are used to aid in the development of secure web applications.
Web application interactions
Hypertext Transfer Protocol Secure (HTTPS) is Hypertext Transfer Protocol (HTTP) using Transport Layer Security (TLS) encryption. The use of HTTPS for web applications ensures that not only are individuals’ interactions with web applications kept confidential, but the integrity of their interactions are also maintained.
Security Control: 1552; Revision: 0; Updated: Oct-19; Applicability: O, P, S, TS
All web application content is offered exclusively using HTTPS.
Web application input handling
Most web application security vulnerabilities are caused by the lack of secure input handling. It is essential that web applications do not trust any input such as the website address and its parameters, Hypertext Markup Language (HTML) form data, cookie values and request headers without validating or sanitising it. Examples of validation and sanitisation include:
- ensuring a telephone form field contains only numerals
- ensuring data used in a Structured Query Language query is sanitised properly
- ensuring Unicode input is handled appropriately.
Security Control: 1240; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Validation and/or sanitisation is performed on all input handled by a web application.
Web application output encoding
The likelihood of cross-site scripting and other content injection attacks can be reduced through the use of contextual output encoding. The most common example of output encoding is the use of HTML entities. Performing HTML entity encoding causes potentially dangerous HTML characters such as ‘<’, ‘>’ and ‘&’ to be converted into their encoded equivalents ‘<’, ‘>’ and ‘&’.
Output encoding is particularly useful where external data sources, which may not be subject to the same level of input filtering, are output to users.
Security Control: 1241; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Output encoding is performed on all output produced by a web application.
Web browser-based security controls
Web browser-based security controls such as Content-Security-Policy, HTTP Strict Transport Security (HSTS) and X-Frame-Options can be leveraged by web applications to help protect themselves and their users. This is achieved via the use of security policy in response headers which users’ web browsers apply according to the defined security policy. Since the security controls are applied via response headers, it makes it possible to apply the security controls to legacy or proprietary web applications where changes to the source code are impractical.
Security Control: 1424; Revision: 3; Updated: Oct-19; Applicability: O, P, S, TS
Web applications implement Content-Security-Policy, HSTS and X-Frame-Options response headers.
Open Web Application Security Project
The Open Web Application Security Project (OWASP) provides a comprehensive resource to consult when developing web applications.
Security Control: 0971; Revision: 7; Updated: Apr-19; Applicability: O, P, S, TS
The OWASP Application Security Verification Standard is followed when developing web applications.
Further information on auditing of web applications can be found in the event logging and auditing section of the Guidelines for System Monitoring.
Further information on implementing TLS can be found in the Transport Layer Security section of the Guidelines for Cryptography.
Further information on web application security can be found in the following ACSC publications:
- Implementing Certificates, TLS and HTTPS at https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-certificates-tls-and-https
- Protecting Web Applications and Users at https://www.cyber.gov.au/acsc/view-all-content/publications/protecting-web-applications-and-users
- Securing Content Management Systems (CMS) at https://www.cyber.gov.au/acsc/view-all-content/publications/securing-content-management-systems.
Further information on web application security is available in the OWASP Application Security Verification Standard at https://wiki.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project.
Further information on common web application frameworks for different programming languages, including a comparison of their functionality, is available at https://en.wikipedia.org/wiki/Comparison_of_web_frameworks.