Summary: Security Fundamentals

Get a quick overview of security fundamentals.

We'll cover the following

Exploits

Exploits are vulnerabilities in our packages or third-party libraries that can be taken advantage of by attackers or people with malicious intent. Hence the name, exploit, because it can be exploited.

To protect ourselves from exploits, intentional or otherwise, we should:

  • Make it a habit to check for updates regularly and integrate this practice into our development workflow.

  • Consider using automated tools that can help us manage our dependencies and alert us when updates are available.

  • We can use the tilde (~) to specify that our application can use any version that is compatible with the specified version. For example, "package-name": "~1.2.3" will install the latest version of the package, that is, 1.2.x.

XSS

Cross-Site Scripting (XSS) is one of the most common security vulnerabilities in web applications. It occurs when an attacker injects malicious scripts into web pages that are viewed by other users. These scripts can then be used to steal information, deface web pages, or perform other malicious actions.

To avoid it as much as possible, we can apply the following to our coding practices:

  • We should avoid using v-html or dangerouslySetInnerHTML or setInnerHTML for user-generated content.

  • If we must use it, sanitize the user input using a library like sanitize-html.

  • We should validate user input on the backend side to prevent malicious code from reaching the database.

CSRF

CSRF is a type of attack that manipulates users into performing unintended actions on a web application where they’re authenticated. Unlike other attacks, CSRF exploits the trust a website has in the user's browser, not the user’s trust in the website.

Developers can implement CSRF tokens to prevent CSRF attacks. These tokens are random and unique values associated with a user’s session. The token is required when performing state-changing operations. The bank’s website can then verify that the request came from a legitimate form it served by checking the token.

Spoofing

Spoofing involves creating a fake version of a website or application that looks almost identical to the real one. The attacker then tricks the user into visiting the fake site and entering their personal information, which the attacker then captures.

The attacker will try to manipulate the HTML of our website to redirect the user to their fake, similar website. The attacker will then take advantage of the sense of security our users feel on our website to trick them into giving out precious information.

To avoid this, we should evaluate our code and make sure our HTML cannot be manipulated by user-generated content, URLs, or session data. It’s paramount that we avoid rendering the HTML using v-html or dangerouslySetHtml function for this type of data.

Get hands-on with 1400+ tech skills courses.