security overview - yibinericxia/documents GitHub Wiki

Credentials

Never put credentials directly into source code or property files. Create deploy specific property file with the environment variables for injection, for example, we can have the following in application-cert.yaml:

spring:
  datasource:
    url: ${ORACLE_HOST}
    username: ${ORACLE_USERNAME}
    password: ${ORACLE_PASSWORD}
...

Secure cookies

JSESSIONID for Java platform

Add the following in the your application file web.xml for Servlet 3.0 and above

<session-config>
   <session-timeout>30</session-timeout>
   <cookie-config>
      <name>JSESSIONID</name>
      <http-only>true</http-only>
      <secure>true</secure>
   </cookie-config>
   <tracking-mode>COOKIE</tracking-mode>
</session-config>

Cookie created at login

Add the following right after Cookie cookie = new Cookie(...)

cookie.setSecure(true);
cookie.setHttpOnly(true);

Some servers, such as Tomcat 7.0 and above, the HttpOnly is enabled by default.

Session over cookie

An HTTP session store user information for multiple HTTP requests as each one is stateless. Since cookies are maintained on a client's computer, the session is preferred due to the fact it variables for user sensitive data are maintained on a server.

Prevent stack traces

Add the following in the your application file web.xml

<error-page>
   <exception-type>java.lang.Throwable</exception-type>
   <location>/path/error.jsp</location>
</error-page>

Do not expose stack trace info in your error message to the user

Config Servlet

We can define servlet in web.xml and use servlet-mapping to control the access with url-pattern.

OAuth2

Common Security Vulnerability Types

Tools

NMap
BurpSuite
Metasploit

Others

Reference

https://owasp.org