The translation of the original address: https://dev.to/ahmedatefae/web-security-knowledge-you-must-understand-it-part-i-https-tls-ssl-cors-csp-298l


What is Web security?

The web is not perfectly safe for every user, and every day we hear about websites being rendered unusable by denial-of-service attacks, or pages being forged.

This series of articles is helpful in understanding the basics of Web security.

This series summarizes the most common attacks and provides strategies for dealing with them.


Different types of Web security

  • HTTPS
  • TLS
  • SSL
  • CORS
  • CSP
  • OWASP (Security Risk) >> I’ll cover it in Part 2 of this series
  • Hashing algorithm >> I’ll cover it in part 2 of this series
    • MD5
    • SHA
    • scrypt
    • bcrypt
Insert a picture description here

HTTPS

It is a secure version of HTTP, which stands for Hypertext Transfer Protocol Secure, and is primarily used to send data between Web browsers and websites.

Others cannot access the data because it uses the TSL protocol to encrypt communications, which I will explain in the next topic.


How HTTPS works

It uses an encrypted communication protocol called Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL).

This encryption uses two keys, one called the public key and the other called the private key.

  • 1. Public key: shared between browser and web site.
  • 2. Private key: This key is used to decrypt the information encrypted by the public key and is not shared outside the server.
Insert a picture description here


TLS

It is currently the most used protocol, designed to promote privacy and data security of communications over the Internet, the use case of TLS is to encrypt communication between applications and servers, email, voice over Message (VoIP).

How TLS works

Any application or website that uses TSL must have a TLS certificate (also known as an “SSL certificate”) installed on the base server.

It contains very important information about the certificate holder, private key, and public key for decrypting and encrypting communications.

This process is called TLS handshake 🤝 and the steps are:

  • Determine which version of TLS will be used during the session.
  • Authenticate the server by using a TLS certificate.
  • After the handshake is complete, a session key is generated for use during the session.

To that end, the topic needs further explanation, and I’ll write an article and add a link here.

Insert a picture description here


SSL

Secure Sockets Layer (SSL) is an encryption-based Internet security protocol created by Netscape in 1995 to ensure the integrity and privacy of Internet connections and now known as TLS.

How SSL works

Like the TLS version based on the TLS concept of handshake.

What is the difference between TLS and SSL

SSL, an older version of TSL that was developed by the Internet Engineering Task Force (IETF) after Netscape, has had its name changed and some developers now use SSL and TLS to refer to the same thing.

Note that there have been no new updates to SSL since 1996, which makes it very vulnerable to hacking, and all modern browsers no longer support it, they only support TLS.

Insert a picture description here


CORS

Cross-domain resource sharing (CORS) is a mechanism that uses HTTP headers to specify which foreign sources can access a local resource and how to access it, meaning that we can create a whitelist of the resources that are allowed to access our resources across domains.


How CORS works

  • 1. When a site makes a fetch request to get a resource from an external server, the browser adds a header containing the source labeled sample Origin:http://www.example.com.
  • 2. The server receives the precheck request, searches the whitelist for access-Control-allow-origins for a given source, and sends it to the browser option call, where the browser determines if the actual request is safe to send, for exampleAccess-Control-Allow-Origin:http://www.example.comOr this header access-Control-allow-Origin: * will Allow any request to obtain the resource.
  • 3. If the server specifies a method, it compares the request method to the exampleAccess-Control-Allow-Methods: PUT, DELETE.
Insert a picture description here


CSP

Content security policies are a higher layer of security that helps detect and mitigate different types of malicious attacks such as (cross-site scripting (XSS), data injection attacks, clickjacking, and so on…). .

  • Cross-site scripting (XSS) : it is a loophole, allowed to inject malicious code hackers website, and used to make the client to execute this code for sensitive data (such as cookies, session information and site-specific information), this is because the validation of Web application did not use enough or coding, the user’s browser can’t detect malicious script is not to be trusted.

  • Injection attack: Malicious code injected into a website that fetches all information from a database to the attacker. The first type of attack is SQL injection.

  • Clickjacking: Also known as a “UI overlay attack,” an attacker tricks the user into clicking on the top layer and actually clicking on a transparent or opaque button to link to another page.

Principle of CSP

It uses the concept of directives, each of which must specify where resources can be loaded from, preventing the browser from loading data from any other location.

The most commonly used commands:

  • Default-src: default loading strategy (JavaScript, images, CSS, AJAX requests, ETC…) Example:Default – SRC ‘self’ cdn.example.com;
  • Img-src: define the image source, example:Img SRC – “self” img.example.com;
  • Style-src: Define the CSS file source. Example:Style – the SRC ‘self’ css.example.com;
  • Script-src: defines the source of a JavaScript file. Example:Script – the SRC ‘self’ js.example.com;
  • Connect-src: Defines a legitimate target for XMLHttpRequest (AJAX), WebSockets, or EventSource. If it establishes any disallowed connections with the host, the browser will respond with a 400 error, as in:Connect – SRC ‘self’;
  • Multi-label instruction definition:Default – SRC “none”; Script – the SRC ‘self’; Connect – SRC ‘self’; Img SRC ‘self’; Style – the SRC ‘self’;
Insert a picture description here


conclusion

I hope I have adequately illustrated the importance of this topic and explained to you the first steps to progress and knowledge in this broad field, and I will regularly add any new information on this topic to this series so that all parts of the series are in sync.

Don’t forget to read the next article on the subject.

This article is formatted using MDNICE