Sometimes I think that web development is at its core a communication management. Users send some data in our direction and we respond accordingly. We show, edit, save, delete and if we don’t understand we return an error code. Every field that you add to your website, every new endpoint ia a potential weak link. Therefore it’s important to treat inputs with caution. Here are two low hanging fruits for you to improve security of your application.
Sanitize the input
Don’t trust everything you get from a user. Clean the input from executable code. It will help you prevent many types of attacks for example Cross-site scripting or remote code executions. There are cases in which you want your user to be able to paste some code - links, styling or embedded Spotify playlist. List these use cases, and wipe out everything else.
There are libraries to make it easy for you:
- Ruby on Rails includes the SanitizeHelper,
- There is a Ruby gem called sanitize,
- Node.js has a package called node-sanitize too.
- Pythin has schema and bleach
Validate the input
Database is the most important asset. It needs to be protected no matter what. Don’t believe me? Last year, Facebook and Instagram were down for a couple of hours. You probably were frustrated because there was nothing to scroll, but you may have watched a movie or tweeted for the first time in 10 months instead. Next day, you could login to your instagram and enjoy your friends’ stories, right? Imagine, this story goes in the opposite direction. You login and all of your data is gone - your posts, comments, stories, dms, saved memes, following and followers. That would make you angry, all of these memories and connections gone. Database is the most important asset. Users will forgive you hiccups in availability but they will resent you if you lose their favourite cat videos.
You need to protect the database. The most fundamental thing you can do - validate the input. It’s not enough to sanitise the input. Before you save anything in your database, make sure that what you get is exactly what you want. Not too short, not too long, in the right format etc. You need to validate all of the attributes you want to save. A rookie mistake is to focus only on the most common like first name, last name etc. and leave big text fields unchecked. You want to make sure that the inputs are not vulnerable to SQL injections, remote code executions and slow DDOS etc.
Don’t forget to check legacy parts of your applications. You know, these old views which haven’t been updated since they were scaffolded in 2015. Make an audit, check which parts are secured, and which are not. Share this with your team and guild (chapter, or other fancy name you use for fellow devs), and step by step clean it up. Every contribution will make your app more secure.