
Authentication, authorization, auditing, availability, confidentiality and integrity. If any of these principles are compromised on your site, your site is at risk
A few definitions - risk, threat, vulnerability and attack. Reasons why websites are at risk. Known and unknown risks.
Start off with a well known security attack - script injection can wreak havoc on your site.
A simple but realistic example of how XSS could affect your site
Persistent, reflected and DOM based XSS. The differences are subtle but important.
How can you protect yourself from script injection? What are the good practices to follow?
Some more techniques by which input can be cleaned up
Check for patterns in your input. Only allow those patterns which seem legit!
PHP offers a whole bunch of ways to validate input, some more here.
What else can you do to make sure user input is safe to use?
Specify default directives so things are less onerous and learn to use wildcards
Inline code and the eval() functions usually spell trouble for your site
If you must use inline code, the Content Security Policy header gives you a few outs.
What makes a good password? Set some constraints so your users are forced to choose strong passwords.
Do not store passwords in plain text. When it comes to security you cannot trust even those who work with you.
An example using a secure token to verify that the request comes from a trusted site.
Coat your website with armor, protect yourself against the most common threats and vulnerabilities. Understand, with examples, how common security attacks work and how to mitigate them. Learn secure practices to keep your website users safe.
Let's parse that.
What's included in this course: