Web Security

Take care of the security of your application or website and the privacy of your customers.

Nowadays it is essential that you take care of the security of your web site or your application so that they are protected against the latest types of attacks and vulnerabilities, which are becoming more and more widespread by blackhat hackers and can generate big problems for your business and your users.

There is no magic formula, and configuring the security of your web site involves study for the correct implementation of various security settings, which according to each case can put web security at its maximum.

Below I describe some of the most commonly used configurations recommended by international standards. If you have any questions, contact us and we will help you find the right solution for your case.

HTTPS/TLS

All websites and applications today must use the HTTPS protocol to ensure greater security and privacy of data traveling between the server and the client. Ensuring that your website or application complies with current security recommendations, guaranteeing data integrity, protecting against attacks (such as man-in-the-middle) and also bringing speed benefits, creating greater confidence for your users.

Content Security Policy

We configure your web site or application to ensure that it complies with the latest HSTS recommendations. HSTS ensures that users connect only over secure HTTPS connections, even if they have chosen the non-secure HTTP protocol. Recommended for all websites that use the HTTPS protocol.

Content Security Policy

We set up custom Content Security Policy policies according to the needs of your web site or application, ensuring great benefits of control over what can and cannot be executed. This is the recommended method for preventing cross-site-scripting (XSS) attacks. Among other defenses CSP ensures that only previously allowed javascripts are executed.

Cookies

All cookies should be set with the "secure flag" and set as restrictively as possible. This can help minimize the damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.

Referrer Policy

When a user navigates to a website via a hyperlink or a website loads an external resource, browsers inform the destination website of the origin of requests through the use of the HTTP Referer header. While this can be useful for many purposes, it can also put users' privacy at risk. Setting a Referrer policy allows sites to have refined control over how and when browsers transmit the HTTP Referer header.

Subresource Integrity

Sub-resource integrity is a recent W3C standard that protects against attackers who modify the content of JavaScript libraries hosted on content delivery networks (CDNs) to create vulnerabilities on all websites that make use of that hosted library. Sub-resource integrity locks an external JavaScript resource to its known content at a specific point in time. If the file is modified at any time, current browsers will refuse to load it.

X-Content-Type-Options

X-Content-Type-Options is a header supported by Internet Explorer, Chrome and Firefox 50+ that says not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. Therefore, all websites should set the X-Content-Type-Options header and the appropriate MIME types for the files they advertise.

X-Frame-Options

X-Frame-Options is an HTTP header that allows websites to control how their website can be framed in an iframe. Clickjacking is a practical attack that allows malicious websites to trick users into clicking on links on your site, even if they do not appear to be on your site. As such, the use of the X-Frame-Options header is mandatory for all new sites, and all existing sites should add support for X-Frame-Options as soon as possible.

X-XXS-Protection

X-XSS-Protection is a feature of Internet Explorer and Chrome that stops pages from loading when it detects reflected cross-site scripting (XSS) attacks. While these protections are largely unnecessary in modern browsers when websites implement a strong Content Security Policy that disables the use of embedded JavaScript, they can still provide protections for users of older browsers that do not yet support CSP.

Cybersecurity

Cyber attacks are becoming increasingly devastating, don't expect the worst and protect your company against mailicious hackers.

Data Backup

Data backup is very important for your company's security, contact us and we will plan a backup solution for you.