Since I moved from an internal IT Risk manager to a security consulting firm, I have been involving in different discussions on web application security. These experiences made me think that browsers are not a security software and its design has little security consideration. Missing security features in browser is one of the root cause for today’s cybercrime.
There were some new developments in the browser domain that trying to address the root cause. Developers for PayPal, Mozilla and Microsoft develop three new browser-based security controls:
- Content Security Policy (CSP)
- HTTP Strict Transport Security
- Frame Options
These are IMPORTANT security features and once enabled will stop most XSS attacks. However, these security features need both server and client side implementations in order to utilize the protections. Not all browsers support these new features! Only Firefox 4 and IE10 support.
The Australia Department of Defense published a comprehensive and user-friendly document on these features. It is a must read for all web developers.
Recently, a security firm Recx Ltd created a Chrome extension that analyse web pages security features. It check the HTTP-headers and cookie settings against best practices, then shows the result in a simple and directly way. I installed it on Chrome and used it to test on some websites. The first is HKCERT, where a few of my friends are working there. I am sure they do not mind to demonstrate web security implementations.
Although there are still some room to improve, they are doing a very good job when comparing with a HK online banking website (shown on right hand side).