Sunday, April 5, 2015

Service Security Tips (1)

The most important part when you provide a service to your client to make this service secure enough.
It is not related to firewall or access privileges or other network-related issues, it is related to service it self.
In this article, I will provide, based on my SOA study and my development background, some tips to make your service secure enough..

HTML data

Some developer write sensitive information in HTML. For example there maybe shared control between different role, and if the current logged in user in role X, appear the dev X and hide dev Y which is related to role Y.

From the example above, the 'divAdmin' data should appeared for admins only, otherwise hide it.
But we can see the data of 'divAdmin' even if user logged in as 'EndUser' role or any other role by browsing the HTML in browser:




ClickJacking

ClickJacking means providing additional and embedded transportation layer which may transport sensitive information, like username and password or credit card information, to attacker.
This is usually happened when someone access your site through <iframe src="URL"></iframein HTML.
To prevent this lack of security, you should add custom header in your HTTP request by following the following steps:
1. Open web.config
2. Go to <system.webserver> tag
3. Put the following lines:
<httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>

  </httpProtocol>


To be continue ...
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)