Writing from the memory. I'll add more as I recall things:
Make sure all requests coming in and out of a web app are over TLS. If you don't care about ancient clients, use TLS 1.2+ with strong ciphers.
Hash passwords with a slow hashing function (scrypt, argon2, bcrypt, or PBKDF2). Never store passwords in plain text or use some "encryption" mechanism. And please don't create your own hash function.
Expire password reset keys after (1) user changes their password, (2) requests a new password reset, (3) or a few hours. They are equivalent to passwords.
Use random (CSRF) tokens on POST requests to protect against CSRF attacks (popular frameworks do this automatically). Or better, use the SameSite cookie attribute.
Speaking of cookies: use HTTPOnly and Secure attributes. Bonus points for cookie prefixes.
Enable Content Security Policy (CSP). It's a pain to set up on existing websites, but it pretty much eliminates all XSS attacks.
If you manage your servers, disable root access to them. Only use key-based authentication, never password-based auth. Protect your SSH key with a long, randomly-generated password.
Change the default port for SSH. This is more security by obscurity, but from my experience, it drastically reduces the number of drive-by SSH attacks. Throttle access to that new port via ufw/iptables. Bonus points for allowing only specific users via SSH.
Not for IH side-projects, but I have done official PenTests from certified, 3rd part shops working for companies. It definitely helped uncover some vulnerabilities and strengthen the security of the system. Having a professional do it really helps ... because It’s hard for you to spot vulnerabilities in things you’ve built—otherwise you would have fixed it already. And pros know lots of tricks that you wouldn’t think of. The downside is that it’s very expensive.
Writing from the memory. I'll add more as I recall things:
Make sure all requests coming in and out of a web app are over TLS. If you don't care about ancient clients, use TLS 1.2+ with strong ciphers.
Hash passwords with a slow hashing function (scrypt, argon2, bcrypt, or PBKDF2). Never store passwords in plain text or use some "encryption" mechanism. And please don't create your own hash function.
Expire password reset keys after (1) user changes their password, (2) requests a new password reset, (3) or a few hours. They are equivalent to passwords.
Expire session identifier after user successfully logs in to prevent a session fixation attack.
Use random (CSRF) tokens on POST requests to protect against CSRF attacks (popular frameworks do this automatically). Or better, use the
SameSite
cookie attribute.Speaking of cookies: use
HTTPOnly
andSecure
attributes. Bonus points for cookie prefixes.Enable Content Security Policy (CSP). It's a pain to set up on existing websites, but it pretty much eliminates all XSS attacks.
If you manage your servers, disable root access to them. Only use key-based authentication, never password-based auth. Protect your SSH key with a long, randomly-generated password.
Change the default port for SSH. This is more security by obscurity, but from my experience, it drastically reduces the number of drive-by SSH attacks. Throttle access to that new port via ufw/iptables. Bonus points for allowing only specific users via SSH.
Use some sort of captcha to prevent bogus signups. Honeypots will do as well.
Always keep your dependencies up-to-date.
Not for IH side-projects, but I have done official PenTests from certified, 3rd part shops working for companies. It definitely helped uncover some vulnerabilities and strengthen the security of the system. Having a professional do it really helps ... because It’s hard for you to spot vulnerabilities in things you’ve built—otherwise you would have fixed it already. And pros know lots of tricks that you wouldn’t think of. The downside is that it’s very expensive.
This comment was deleted 2 years ago.
This comment was deleted 3 years ago.
Kali is a great starting point, Nikto and Burp are great tools for discovering weaknesses with minimal effort.
This comment was deleted 3 years ago.