Protecting your site and your clients

Site Security Policy

Site Security Policy is an interesting approach that is still in the formative stages [3]. The idea is that a web server hosts a file that specifies how a client should interact with the server, thus preventing unsafe interactions such as cross-site scripting (XSS) attacks or cross-site request forgery attacks. On the client side, there is either built-in support for this standard, or a plugin – available for Firefox – that allows the client to download and parse the policy file before interacting with the web server.

One interesting side effect to this approach is the possibility of having web proxies such as Squid support the standard, in effect protecting all the web clients behind them from potentially unsafe actions at sites that choose to support the Site Security Policy standard.

Conclusion

Web security has no simple solution: No matter how hard we try, the bad guys will either run hostile web servers or compromise other web servers. On the client side, things are basically a disaster. If you are running Linux, however, chances are quite low that you will be targeted, and chances are good that you keep your software up to date because almost all distributions update automatically by default, thus putting you ahead of the game!

By plugging the holes as they are identified and by applying additional security measures – such as NoScript and ModSecurity – you can improve the chances of "healthy" servers and clients staying that way.

Ultimately, this reduces the time and energy you have to spend on repetitive cleanup, which is something everybody wants, anyway.

Infos

  1. NoScript plugin for Firefox: http://noscript.net/
  2. ModSecurity for Apache: http://www.modsecurity.org/
  3. Site Security Policy: http://people.mozilla.com/~bsterne/site-security-policy/

The Author

Kurt Seifried is an Information Security Consultant specializing in Linux and networks since 1996. He is married and has four cats but no fish (because the cats are more hungry than afraid of water). He often wonders how it is that technology works on a large scale but often fails on a small scale.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Apache ModSecurity

    The Apache ModSecurity module provides extra protection for your web server. We'll show you why this optional application firewall is quickly becoming a favorite of webmasters and security experts.

  • Stopping Drive-By Attacks

    You won't find a perfect solution to the growing problem of drive-by attacks, but many tools are available to help you keep malicious code off your network.

  • Security Lessons

    As ugly and hard to secure as JavaScript is, it could be worse – we could be using ActiveX.

  • Intrusion 101

    You need to think like an attacker to keep your network safe. We asked security columnist Kurt Seifried for an inside look at the art of intrusion.

  • Security Lessons

    Sometimes, even ING, YouTube, The New York Times, and Google get it wrong.

comments powered by Disqus

Direct Download

Read full article as PDF:

Web_Security.pdf  (308.01 kB)

News