Shаun's profile picture

Published by

published
updated

Category: Web, HTML, Tech

Dear Admin: Security Recommendations for SpaceHey

While a 2007-era Myspace clone is great, web security best practices have come a long way since 2007. Modern browsers implement a bunch of useful security features that SpaceHey currently doesn't take advantage of. I've decided to write about a few of them here. These are mostly "toggle-on" options at the web server and framework level that shouldn't require significant (if any) changes to your code.

HSTS: Even if the unencrypted HTTP version of your website automatically redirects to HTTPS, that initial connection can still be hijacked to steal user sessions, passwords, and other data.

HTTP Strict Transport Security (HSTS) solves this by preventing browsers from ever requesting an opted-in website over plaintext HTTP. Enabling it is as simple as sending the Strict-Transport-Security header, documented here. You'll want to set `max-age` to 31536000 (one year, in seconds) and apply the `includeSubdomains` flag.

Content Security Policy: Cross-site scripting (XSS) is probably the most common class of web application vulnerability, and it can be catastrophic on sites like this. Right now, you're relying on White-HTML-Filter to allow limited markup in profile fields, etc. while rejecting JаvaScript, which is fine. But if there's a vulnerability in this library, your templating engine, or your own code, someone who gets XSS will be able to wreak havoc on your users.

Sending the Content-Security-Policy (CSP) response header is a good way to prevent this. You can create a whitelist of allowed sources for JаvaScript and other potentially harmful content, so that even if someone is able to inject code into a page, browsers will refuse to execute it.

A strong CSP can effectively eliminate XSS as a viable attack vector, but it depends on what sources you allow. For example, if the goal is to mitigate XSS, you'll want to whitelist script files from trusted hosts and not include the `unsafe-inline` directive (permitting inline JаvaScript does nothing to stop XSS; luckily, this site doesn't seem to use any). A starting point for SpaceHey might be:

Content-Security-Policy: default-src 'self'; img-src *; media-src *; script-src 'self' https://tibush.b-cdn.net https://tibushlabs.de

The above policy is completely untested and will probably break loading some content without additional allowed sources. Of these recommendations, CSP is the hardest to implement but the most valuable when it finally works. Feel free to contact me for help with troubleshooting it.

Cookies: Cookies support a few different security options (flags) that affect their behavior, none of which SpaceHey has enabled. A quick rundown of the main flags:
  • HttpOnly: Prevents JаvaScript from accessing a cookie. This prevents the theft of sensitive cookies via XSS.
  • Secure: Prevents a cookie from being sent over unencrypted HTTP. If you enforce HSTS as described above, this is somewhat redundant, but it's still a good idea.
  • SameSite: This is a mitigation against cross-site request forgery (CSRF) that tells browsers not to send a cookie in requests originating from third-party sites. The default value in modern browsers is `Lax` (as opposed to the stricter but mostly unnecessary `Strict`), but it would be prudent to explicitly set this in your cookie configuration.


50 Kudos

Comments

Displaying 12 of 12 comments ( View all | Add Comment )

김태풍

김태풍's profile picture
Pinned

but most of all, samy is my hero


Report Comment

7millionbugsinmybasement

7millionbugsinmybasement's profile picture

h


Report Comment

zandertee

zandertee's profile picture

Woah, this is a brilliant list! You really know your stuff. Hopefully all of these measures can be implemented, sadly the original MySpace had loads of security problems.


Report Comment

ɥsoɾ

ɥsoɾ's profile picture

nice, dude. looks like you got through to him too.
the other myspace clone site didn't even use https LOL


Report Comment

Retsi

Retsi's profile picture

This is very useful info Shaun, much appreciated!


Report Comment

albert

albert's profile picture

I had no idea about HTTP Strict Transport Security (HSTS) and hijacking initial connection. Good read. Big ups.


Report Comment

Greg "X" Willis

Greg "X" Willis's profile picture

Nice list, bookmarking this for future reference.


Report Comment

clive

clive's profile picture

Solid!


Report Comment

Zsolt

Zsolt's profile picture

This is a good post indeed. Whenever I tinker around with site creation, I always check everything with hardenize.com, the Mozilla Observatory, and internet.nl - they all do all kinds of security checkups, from server backend to the actual frontend.


Report Comment

Josh Manders

Josh Manders's profile picture

Wonderful blog post!


Report Comment

LukyVj

LukyVj's profile picture

Now that’s a good and complete blog post!


Report Comment

An

An's profile picture

Thank you very, very, very, very much!! Seriously, this helps a lot!! Will implement all of those things! Thank you!!


Report Comment