How to Improve Your Web Application's Security Using Mozilla Observatory

Rate this content
Bookmark

In today's digital landscape, web application security is of paramount importance to protect sensitive user data and maintain user trust. The Mozilla Observatory is a powerful tool that can help developers assess the security posture of their web applications. In this talk we'll learn how to improve the security of web applications using the Mozilla Observatory. 

This talk has been presented at React Day Berlin 2023, check out the latest edition of this React Conference.

Watch video on a separate page

FAQ

Mozilla Observatory is a tool designed to evaluate the security of web applications by assessing their security headers and overall security ranking.

When using Mozilla Observatory, you can choose to skip publishing your results in public records, force a rescan of your application, or opt out of running third-party scanners.

A Content Security Policy (CSP) is a security standard that helps to prevent cross-site scripting (XSS) and other code injection attacks by specifying which resources can be loaded on a website. It is crucial for maintaining the integrity and security of a web application.

Cookies should be secured by using the secure flag to ensure they are sent over HTTPS only, setting them to HTTP-only to prevent access from JavaScript, and defining a strict expiration period.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that tells browsers to only interact with the website using HTTPS, ensuring all communications are securely encrypted.

Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources fetched from external servers have not been tampered with. It uses cryptographic hashes to check the integrity of each resource, enhancing security against compromised content delivery networks (CDNs).

The referrer policy in web applications controls how much referral information (such as the URL) is passed along with requests between websites. This can help protect user privacy and reduce the risk of leakage of sensitive information.

xFrameOptions is a security header that restricts how a web application can be embedded in other sites, such as in iframes, to prevent clickjacking attacks. xXSSProtection is a header that helps in mitigating cross-site scripting (XSS) attacks in older browsers.

Mozilla Observatory improves security by analyzing and scoring the security headers of a web application, providing insights into potential vulnerabilities and suggesting improvements.

Karan Kiri
Karan Kiri
9 min
12 Dec, 2023

Comments

Sign in or register to post your comment.
Video Summary and Transcription
The Talk discusses how to improve web application security using Mozilla Observatory. It covers topics such as evaluating security headers, maintaining grade history, and implementing content security policies. The importance of securing cookies and enabling HTTP to HTTPS redirection is emphasized. The use of referrer headers to control browser behavior and sub-resource integrity to prevent compromising files are also highlighted.

1. Introduction to Mozilla Observatory

Short description:

Welcome to React Day Berlin. Today I'll be talking about how to improve web application security using Mozilla Observatory. It evaluates security headers and ranking. Let's go to the Mozilla Observatory and see how it looks. You can skip publishing results and force a rescan. It gives the Dplus score and assesses security headers. It maintains grade history. Content security policy allows fine-grained control over loaded resources. It prevents cross-site scripting vulnerabilities. Be careful when implementing it in existing websites. Start with the content security policy report only. Cookies are also important.

Hello, everyone. Welcome to React Day Berlin. My name is Karan. I'm a front-end developer at Fabric, which is a US-based e-commerce startup.

Today I'll be talking about how to improve your web application security using Mozilla Observatory. Mozilla Observatory is a tool where you can use to evaluate your web application security headers and evaluate the security ranking of your websites. So here you can see all the security headers that Mozilla Observatory measures for your application and gives the score.

So let's go to the Mozilla Observatory and see how it looks like. So this is the site here, there are three options here. You can see, you can choose to skip publishing your results in the public records of Mozilla. Mozilla actually caches your scanned results. So if you want to force a rescan, you can click this checkbox. And if you don't want to run any third-party scanners, you can select this one. Let's enter my domain and see what the result gives us. So here you can see it will run the HTTP Observatory and it gives me the Dplus score. And here are all the security headers that it has assessed. And you can see the pass and failure status and score of each of the security header. And the reason behind a particular score is also displayed here as well. It also maintains the grade history. So whenever you make any improvements to your website and rescan the score, then you will be able to see the improved score of your website.

Let's dive into each of the security header and learn more about each of the security header. Content security policy is a very vast topic. So we'll just talk about it briefly. Basically, content security policy allows fine grained control over what resources on your site can be loaded from. It's the best way to prevent any cross site scripting vulnerabilities, commonly known as access attacks. The primary benefit of CSP is that you can disable the use of unsafe inline JavaScript, but it comes with its cons as well. You need to be very careful when implementing it in the existing websites as it may break existing functionalities. The best way to implement CSP is to start with the content security policy report only, which is a header where it will just report your violations, but it will not block any JavaScript execution. That way you can gather the information of all the violations, fix that first, and actually implement the content security policy. Cookies, you must have heard of them.

2. Securing Cookies and Redirection

Short description:

It should be secured using secure flag and sent over HTTPS only. Define minimum expiration period for session identifier cookies. Configure server properly for close origin requests. Enable HTTP to HTTPS redirection.

It should be secured using secure flag, so it should be sent over HTTPS only. It needs to be HTTP only cookies. That doesn't require any access from JavaScript, so it can be blocked from access by any third-party JavaScript as well.

You need to define the expiration period as well. It should be as minimum as possible. In particular, session identifier that we store in cookies should expire very quickly whenever they are no longer needed.

We can use the same set of cookies as well to block the cookies from being sent to any close origin requests. If you're a front-end developer, you must have come across course errors, so it's very important to configure your server very properly for any close origin request. It shouldn't be allowing any other domains that doesn't need that particular resources, so it should be configured properly. It shouldn't be allowing any wildcard patterns access as well.

HSTCS commonly known as HTTP strict transport security tells the browser to load the resources via HTTPS only, and redirection is also very important. You need to enable the HTTP to HTTPS redirection in your web application.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
The talk discusses the importance of supply chain security in the open source ecosystem, highlighting the risks of relying on open source code without proper code review. It explores the trend of supply chain attacks and the need for a new approach to detect and block malicious dependencies. The talk also introduces Socket, a tool that assesses the security of packages and provides automation and analysis to protect against malware and supply chain attacks. It emphasizes the need to prioritize security in software development and offers insights into potential solutions such as realms and Deno's command line flags.
The State of Passwordless Auth on the Web
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Passwords are terrible and easily hacked, with most people not using password managers. The credential management API and autocomplete attribute can improve user experience and security. Two-factor authentication enhances security but regresses user experience. Passkeys offer a seamless and secure login experience, but browser support may be limited. Recommendations include detecting Passkey support and offering fallbacks to passwords and two-factor authentication.
5 Ways You Could Have Hacked Node.js
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
Top Content
The Node.js security team is responsible for addressing vulnerabilities and receives reports through HackerOne. The Talk discusses various hacking techniques, including DLL injections and DNS rebinding attacks. It also highlights Node.js security vulnerabilities such as HTTP request smuggling and certification validation. The importance of using HTTP proxy tunneling and the experimental permission model in Node.js 20 is emphasized. NearForm, a company specializing in Node.js, offers services for scaling and improving security.
Content Security Policy with Next.js: Leveling Up your Website's Security
React Summit US 2023React Summit US 2023
9 min
Content Security Policy with Next.js: Leveling Up your Website's Security
Top Content
Watch video: Content Security Policy with Next.js: Leveling Up your Website's Security
Lucas Estevão, a Principal UI Engineer and Technical Manager at Avenue Code, discusses how to implement Content Security Policy (CSP) with Next.js to enhance website security. He explains that CSP is a security layer that protects against cross-site scripting and data injection attacks by restricting browser functionality. The talk covers adding CSP to an XJS application using meta tags or headers, and demonstrates the use of the 'nonce' attribute for allowing inline scripts securely. Estevão also highlights the importance of using content security reports to identify and improve application security.
Let Me Show You How React Applications Get Hacked in the Real-World
React Advanced 2021React Advanced 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
React's default security against XSS vulnerabilities, exploring and fixing XSS vulnerabilities in React, exploring control characters and security issues, exploring an alternative solution for JSON parsing, and exploring JSON input and third-party dependencies.
How React Applications Get Hacked in the Real-World
React Summit 2022React Summit 2022
7 min
How React Applications Get Hacked in the Real-World
How to hack a RealWorld live React application in seven minutes. Tips, best practices, and pitfalls when writing React code. XSS and cross-site scripting in React. React's secure by default, but not always. The first thing to discover: adding a link to a React application. React code vulnerability: cross-site scripting with Twitter link. React doesn't sanitize or output H ref attributes. Fix attempts: detect JavaScript, use dummy hashtag, transition to lowercase. Control corrector exploit. Best practices: avoid denialist approach, sanitize user inputs. React's lack of sanitization and output encoding for user inputs. Exploring XSS vulnerabilities and the need to pretty print JSON. The React JSON pretty package and its potential XSS risks. The importance of context encoding and secure coding practices.

Workshops on related topic

0 to Auth in an hour with ReactJS
React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Kevin Gao
Kevin Gao
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
OWASP Top Ten Security Vulnerabilities in Node.js
JSNation 2024JSNation 2024
97 min
OWASP Top Ten Security Vulnerabilities in Node.js
Workshop
Marco Ippolito
Marco Ippolito
In this workshop, we'll cover the top 10 most common vulnerabilities and critical security risks identified by OWASP, which is a trusted authority in Web Application Security.During the workshop, you will learn how to prevent these vulnerabilities and develop the ability to recognize them in web applications.The workshop includes 10 code challenges that represent each of the OWASP's most common vulnerabilities. There will be given hints to help solve the vulnerabilities and pass the tests.The trainer will also provide detailed explanations, slides, and real-life examples in Node.js to help understand the problems better. Additionally, you'll gain insights from a Node.js Maintainer who will share how they manage security within a large project.It's suitable for Node.js Developers of all skill levels, from beginners to experts, it requires a general knowledge of web application and JavaScript.
Table of contents:- Broken Access Control- Cryptographic Failures- Injection- Insecure Design- Security Misconfiguration- Vulnerable and Outdated Components- Identification and Authentication Failures- Software and Data Integrity Failures- Security Logging and Monitoring Failures- Server-Side Request Forgery
How to Build Front-End Access Control with NFTs
JSNation 2024JSNation 2024
88 min
How to Build Front-End Access Control with NFTs
WorkshopFree
Solange Gueiros
Solange Gueiros
Understand the fundamentals of NFT technology and its application in bolstering web security. Through practical demonstrations and hands-on exercises, attendees will learn how to seamlessly integrate NFT-based access control mechanisms into their front-end development projects.
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
Matthew Salmon
Matthew Salmon
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
Bring Code Quality and Security to your CI/CD pipeline
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
Elena Vilchik
Elena Vilchik
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.
Passwordless Auth to Servers: hands on with ASA
DevOps.js Conf 2022DevOps.js Conf 2022
32 min
Passwordless Auth to Servers: hands on with ASA
WorkshopFree
E. Dunham
E. Dunham
These days, you don't need a separate password for every website you log into. Yet thanks to tech debt and tradition, many DevOps professionals are still wrangling a host of SSH keys to access the servers where we sometimes need to be. With modern OAuth, a single login and second factor to prove your identity are enough to securely get you into every service that you're authorized to access. What if SSHing into servers was that easy? In this workshop, we'll use Okta's Advanced Server Access tool (formerly ScaleFT) to experience one way that the dream of sending SSH keys the way of the password has been realized.
- we'll discuss how ASA works and when it's the right tool for the job- we'll walk through setting up a free trial Okta account to use ASA from, and configuring the ASA gateway and server on Linux servers- we'll then SSH into our hosts with the ASA clients without needing to supply an SSH key from our laptops- we'll review the audit logs of our SSH sessions to examine what commands were run