Web Application Security

Website security must be thought about while building every level of the web stack. However, this section includes topics that deserve particular treatment, such as cross-site scripting (XSS), SQL injection, cross-site request forgery and usage of public-private keypairs.

Security tools

  • Bro is a network security and traffic monitor.

  • lynis (source code) is a security audit tool that can run as a shell script on a Linux system to find out its vulnerabilities so that you can fix them instead of allowing them to be exploited by malicious actors.

  • Charles is an HTTP proxy for inspecting headers, requests and responses for all traffic that flows through it.

  • TLS Observatory provides a suite of security tools for analyzing and inspecting Transport Layer Security (TLS) services. There is also a hosted version you can use at observatory.mozilla.org.

  • WIG contains tools for gathering wireless data via Wifi protocols.

  • HTTP Evader is an automated testing tool for checking firewalls to ensure they are protecting the appropriate ports and payloads.

  • Security monkey monitors for changes to AWS, Google Cloud, GitHub and other infrastructure systems.

Specific vulnerabilities

  • httpoxy is a set of vulnerabilities that can affect Python web application servers via HTTP requests.

  • Heartbleed is a vulnerability in OpenSSL implementations that must be patched for any systems you run otherwise you are at serious risk for data leakage.

  • Meltdown and Spectre are x86 architecture problems caused by exploiting CPU branch-prediction implementations.

HTTPS resources

SSL over HTTP (HTTPS) is mandatory for securing web data traffic in transit. There is a page dedicated to HTTPS and the following resources can also give you a good overview of how HTTPS works.

General security resources

Web security learning checklist

  1. Read and understand the major web application security flaws that are commonly exploited by malicious actors. These include cross-site request forgery (CSRF), cross-site scripting (XSS), SQL injection and session hijacking. The OWASP top 10 web application vulnerabilities list is a great place to get an overview of these topics.

  2. Determine how the framework you've chosen mitigates these vulnerabilities.

  3. Ensure your code implements the mitigation techniques for your framework.

  4. Think like an attacker and actively work to break into your own system. If you do not have enough experience to confidently break the security consider hiring a known white hat attacker. Have her break the application's security, report the easiest vulnerabilities to exploit in your app and help implement protections against those weaknesses.

  5. Recognize that no system is ever totally secure. However, the more popular an application becomes the more attractive a target it is to attackers. Reevaluate your web application security on a frequent basis.

您下一个想了解的Web开发主题是什么?

我想通过网络分析了解有关应用用户的更多信息。

如何将现有 Web API 集成到我的应用程序中?

如何记录应用程序中发生的错误?

Sign up for a monthly email with Full Stack Python tutorials. No spam ever.

Sponsored By

Rollbar logo

Fix errors in your Python code before your users see them by monitoring with Rollbar.

Learn More Python

Introduction to Ansible video course logo.

Deploy web apps with the Ansible configuration management tool.


TestDriven logo

Build microservices with Docker, Flask & React in this great course.

Full Stack Python

Full Stack Python is an open book that explains concepts in plain language and provides helpful resources for those topics.
Updates via newsletter, Twitter & Facebook.