Since I moved from an internal IT Risk manager to a security consulting firm, I have been involving in different discussions on web application security. These experiences made me think that browsers are not a security software and its design has little security consideration. Missing security features in browser is one of the root cause for today’s cybercrime.
There were some new developments in the browser domain that trying to address the root cause. Developers for PayPal, Mozilla and Microsoft develop three new browser-based security controls:
- Content Security Policy (CSP)
- HTTP Strict Transport Security
- Frame Options
These are IMPORTANT security features and once enabled will stop most XSS attacks. However, these security features need both server and client side implementations in order to utilize the protections. Not all browsers support these new features! Only Firefox 4 and IE10 support.
The Australia Department of Defense published a comprehensive and user-friendly document on these features. It is a must read for all web developers.
Although there are still some room to improve, they are doing a very good job when comparing with a HK online banking website (shown on right hand side).