The content of ten active security measures for Web application

  In the Web application has ten proactive security measures, do not know users do not know? Is this a good way to secure systems and browsers? Let's go and have a look!

  1:content-security-policy     content Security Policy is a new set of security mechanisms that Mozilla has developed to improve the security of its browsers, which allows Web sites to define content safety policies To explicitly tell the browser what is legitimate and allow the browser to avoid malicious content. CSPs primarily lock down network application vulnerabilities, such as XSS and cross-station impersonation requests (Cross Site request forgery). It is highly recommended that users turn this alarm on and you can see what data is doing bad things.     On the web, this policy is defined by an HTTP header or META element. In the Chrome extension system, there are no two ways. Extensions are defined through Manifest.json files:  {        &nbsp ...,           content_security _policy ":" [Policy STRING GOES here] "           }   For more information about CSP syntax, refer to the Content of the consortium Secur ity Policy specification.  2: Set x-frame     All modern browsers support the X-frame-options HTTP header, which allows the page to be rendered normally when the IFRAME is used. By using the x-frame-options pseudo Directive, Web developers can immediately help IE8 users mitigate threats from various web application attacks.   Use X-frame-options There are two possible values:    DENY: The page cannot be displayed in a frame.  sameoright: The page can only be displayed in the frame of this web site.     In other words, loading pages through the <IFRAME>/<FRAME> framework, if you specify deny, will not only attempt to load a frames page failure, other site loading will also fail. On the other hand, if you specify Sameoptions Oright, other sites will fail to load.  3: Prevent CSRF Cross-site attacks     recommend random toke where each form is validatedN, this will prevent the user from being CSRF attack. About CSRF cross-station request attack protection, FREEBUF has a classmate wrote a detailed article, you can view  4:dal (data/database access layer)     Dals  http:// En.wikipedia.org/wiki/data_access_layer can effectively prevent SQL injection, but few companies know how to use it correctly, although dals transformation is more complex, But since every single database call requires modifications and inserts to operate at the DAL layer, the resulting SQL injection is eliminated from the bottom.  5: File system does not write     Correct settings config file, users who set up the Web site cannot write files on the file system.  6: Security log audit     Log information can quickly help users find traces of attackers, through a number of log analysis system for IIS, APACHE, NGINX, WINDOWS, Linux and other logs for real-time analysis, such as OSSEC, Zabbix and so on, constructs the attack characteristic storehouse, discovers the attack behavior the first time produces the alarm.  7: Encrypted storage     from the previous csdn, Century good edge and other famous sites were pants off events can be seen, many sites still use plaintext way to store user passwords, the use of an outdated hash algorithm, attackers can easily access to the user's relevant information, However, many of the sites rely on the existing database design and related structured data, resulting in late changes to the user's hashing algorithm is very tricky.  8:ssl, cookies set up HttpOnly and STS     Any Web site that is vulnerable to man-in-the-middle attacks if it does not support SSL encrypted transmissions. Cookies do not have HttpOnly and STS set up, and are also vulnerable to cross-site attacks.  9: Building a security framework     Building a security framework for the enterprise itself, programmers invoke the security framework when writing programs, filter all harmful input from users, such as XSS, SQLI, command injection, and so on, to some extent reduce security risk.  10: Setting up Autocomplete=off and strong passwords     AutoComplete controls means that when a user enters the first few letters or characters in a text box, The control will be able to store data from the text or the database to the beginning of all these letters to the user, for users to choose, to provide convenience. But in a convenientIt may also pose a security risk, and an attacker might get some historical information that the user has typed, such as a password.       Above is about the top ten security measures in the web; Do not underestimate these security measures oh, they are to protect the browser safe driving important "expert" it! Let's get to know each other together! Look at their powerful features!