Report Blog Entry
While a 2007-era Myspace clone is great, web security best practices have come a long way since 2007. Modern browsers implement a bunch of useful security features that SpaceHey currently doesn't take advantage of. I've decided to write about a few of them here. These are mostly "toggle-on" options at the web server and framework level that shouldn't require significant (if any) changes to your code.
HSTS: Even if the unencrypted HTTP version of your website automatically redirects to HTTPS, that initial connection can still be hijacked to steal user sessions, passwords, and other data.
HTTP Strict Transport Security (HSTS) solves this by preventing browsers from ever requesting an opted-in website over plaintext HTTP. Enabling it is as simple as sending the Strict-Transport-Security header, documented here. You'll want to set `max-age` to 31536000 (one year, in seconds) and apply the `includeSubdomains` flag.
Content Security Policy: Cross-site scripting (XSS) is probably the most common class of web application vulnerability, and it can be catastrophic on sites like this. Right now, you're relying on White-HTML-Filter to allow limited markup in profile fields, etc. while rejecting JаvaScript, which is fine. But if there's a vulnerability in this library, your templating engine, or your own code, someone who gets XSS will be able to wreak havoc on your users.
Sending the Content-Security-Policy (CSP) response header is a good way to prevent this. You can create a whitelist of allowed sources for JаvaScript and other potentially harmful content, so that even if someone is able to inject code into a page, browsers will refuse to execute it.
A strong CSP can effectively eliminate XSS as a viable attack vector, but it depends on what sources you allow. For example, if the goal is to mitigate XSS, you'll want to whitelist script files from trusted hosts and not include the `unsafe-inline` directive (permitting inline JаvaScript does nothing to stop XSS; luckily, this site doesn't seem to use any). A starting point for SpaceHey might be:
Content-Security-Policy: default-src 'self'; img-src *; media-src *; script-src 'self' https://tibush.b-cdn.net https://tibushlabs.deThe above policy is completely untested and will probably break loading some content without additional allowed sources. Of these recommendations, CSP is the hardest to implement but the most valuable when it finally works. Feel free to contact me for help with troubleshooting it.
Cookies: Cookies support a few different security options (flags) that affect their behavior, none of which SpaceHey has enabled. A quick rundown of the main flags:
- HttpOnly: Prevents JаvaScript from accessing a cookie. This prevents the theft of sensitive cookies via XSS.
- Secure: Prevents a cookie from being sent over unencrypted HTTP. If you enforce HSTS as described above, this is somewhat redundant, but it's still a good idea.
- SameSite: This is a mitigation against cross-site request forgery (CSRF) that tells browsers not to send a cookie in requests originating from third-party sites. The default value in modern browsers is `Lax` (as opposed to the stricter but mostly unnecessary `Strict`), but it would be prudent to explicitly set this in your cookie configuration.
Comments
Displaying 12 of 12 comments ( View all | Add Comment )
김태풍
but most of all, samy is my hero
7millionbugsinmybasement
h
zandertee
Woah, this is a brilliant list! You really know your stuff. Hopefully all of these measures can be implemented, sadly the original MySpace had loads of security problems.
ɥsoɾ
nice, dude. looks like you got through to him too.
the other myspace clone site didn't even use https LOL
Retsi
This is very useful info Shaun, much appreciated!
albert
I had no idea about HTTP Strict Transport Security (HSTS) and hijacking initial connection. Good read. Big ups.
Greg "X" Willis
Nice list, bookmarking this for future reference.
clive
Solid!
Just Another Geriatric Millennial Elder Emo
This is a good post indeed. Whenever I tinker around with site creation, I always check everything with hardenize.com, the Mozilla Observatory, and internet.nl - they all do all kinds of security checkups, from server backend to the actual frontend.
Josh Manders
Wonderful blog post!
LukyVj
Now that’s a good and complete blog post!
An
Thank you very, very, very, very much!! Seriously, this helps a lot!! Will implement all of those things! Thank you!!