Using Components with Known Vulnerabilities

OWASP lists “Using Components with Known Vulnerabilities” as a major issue. Developers tend to pull in libraries from nuget and other sources rather than writting their own components. In general these components are probably of a better quality than an individual would write. However as they are in the public domain once a weakness is […]

RequireSSL – Marking Cookies As Secure

If your site always intends to serve its content over HTTPS/SSL then every request that is passes between the browser\webserver will encrypt the cookies. Excellent – no one monitoring or sniffing the traffic can see the cookie value. However even if you intend to always use HTTPS if ANY content is supplied over http (javascript files, images, […]

Mark Cookies as HTTPONLY

Marking your cookies as HTTPONLY will mean that JavaScript code running in most browsers cannot access a user’s cookies. This is important as if a hacker does manage to compromise your site and inject JavaScript it may be possible for the hacker to steal values of cookies (including security cookies). If HTTPONLY is set on the cookies […]