Web applications use input from HTTP requests (and occasionally files) to determine how to respond. Attackers can tamper with any part of an HTTP request, including the url, querystring, headers, cookies, form fields, and hidden fields, to try to bypass the site’s security mechanisms.
To defend against these attacks:
|
Check before you use anything in HTTP request |
Implement HTTPS and redirect all HTTP traffic to HTTPS. Use an updated version of TLS. To learn more, read our TLS 1.2 vs TLS 1.1 article and avoid using SSL completely. Help prevent man in the middle attacks by enabling public key pins. Help prevent cross-site scripting attacks by implementing the x-xss-protection security header. |
|
Validate all input and reject anything not specifically allowed |
Type, min/max length, character set, regex, min/max value… Application firewalls. Implement a content security policy. Apply subresource integrity to your resource’s <script> or <link> elements. Code reviews. |
|
Use strong passwords |
Use strong passwords that employ a combination of lowercase and uppercase letters, numbers, special symbols, etc. Use a program such as KeyPass to generate and store strong passwords. |