Wandering Thoughts archives

2006-12-18

BasicWebsiteSecurity

A basic principle of website security

In theory I shouldn't have to say this, but in practice I probably do. One of the most basic principle of designing secure websites is simply this:

Never trust anything you get from the network.

Everything you get from the network is under the control of a sufficiently determined attacker, no matter how it is 'supposed' to be generated. Every request, every form POST, every cookie, and every AJAX callback. No amount of obfuscation can do more than slow an attacker down.

(In fact, obfuscation and attempts to hide things are a useful signpost to would-be attackers of where to look closely, a lesson I believe I learned from Harry Harrison's Stainless Steel Rat.)

As a bonus to not trusting network input, you'll gain resilience against the various badly coded crawlers and web browsers that send you crazy things from time to time.

(This grump was sparked by reading this (from Slashdot), which beats around the fundamental bush a bit too much for my taste. I suppose this is what I get for following a Slashdot link.)

web/BasicWebsiteSecurity written at 14:18:20;

(Previous day | Next day)
By day for December 2006: 1 2 3 4 5 6 7 8 9 10 12 13 14 15 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31; before December; after December.

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: See As Normal.
Search:
Login: Password:
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.