Unencrypted communication - pallavitewari21/Secure-Code GitHub Wiki
Insecure Wi-Fi hotspots, as illustrated in our exercise, are just one-way enterprising hackers have found to take advantage of unencrypted communication. They may also try to sniff traffic within your network, and if they get access, inspect traffic going through compromised edge devices.
Any point between your server and the user’s browser is a potential weak spot. Given the non-deterministic nature of internet routing, a lot of opportunities present themselves to an enterprising attacker.
Buy a certificate, install it, and configure your webserver to use it.
It’s really as simple as that. Web servers are typically able to serve the same content over HTTP (on port 80) and HTTPS (on port 443). Any non-trivial website should use HTTPS. Facebook and Twitter use HTTPS by default, and this is a good example to follow.
But make sure you know how to force your webserver to elevate to a secure connection and do so whenever a user is authenticating or establishing a session. A common way of enforcing this is to make sure that cookies are set to secure – that way, sessions can only be established over HTTPS.
The code samples below illustrate how to elevate traffic to an HTTPS connection in various set-ups.
Reverse Proxies It is fairly common to put Apache or Nginx between your web server and the outside world. If you have this setup, it is very easy to redirect HTTP requests to use HTTPS. In Apache, a rewrite rule would look as follows:
RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [QSA,NC,R,L]
The equivalent in Nginx is:
server { listen 80; rewrite ^(.*) https://$host$1 permanent; }
Python Django To force Django to use HTTPS, the easiest way is to install the django-sslify module. To make sure that cookies are only transmitted over secure connections, include the following option in your config:
SESSION_COOKIE_SECURE = True
Ruby Rails Set the option config.force_ssl to true to ensure traffic travels over HTTPS in a particular environment.
Java In your web.xml, set the following option to ensure cookies are only transferred over HTTPS:
true