# 8- Web Security

## Core defences mechanisms

1. Handling user access
   * prevent users from gaining unauthorized access.
2. Handling user input
   * Sanitize user malicious input from causing undesirable behaviour.
3. Handling attackers
   * taking defensive and offensive measures to frustrate the hacker.
4. Managing the application
   * enables the administrator to monitor activities along with managing configuration logs.

## HTTPS

{% hint style="info" %}
HTTPS uses an encryption protocol to encrypt communications :

Secure Sockets Layer (SSL) → Transport Layer Security (TLS).
{% endhint %}

#### **Secure Handshakes**

steps:

* Establish connections
* check public keys + certificates (in the client's browser )
* key exchange encrypt/decrypt using
* Connection established
* Request - Response

The figure illustrates the idea more:

#### Certificate

X.509 certificate, contains:

* used algorithm
* Information about public keys
* the domain it was issued for

The figure illustrates idea more:

#### **Certificate Authority (CA)**

{% hint style="info" %}
[CA allows users to place their trust in the certificate since a trusted, independent third- party signs it.](#user-content-fn-1)[^1]
{% endhint %}

CA primary role is to validate that the requester of the certificate is who they claim to be.

by issuing and singing containing the public keys.

* A certificate signed by any of CAs will prevent the warnings and increase the confidence that the server is who they claim to be.

#### **Data Storage (Passwords) - Security Best Practices**

* Storing Password in Plain Text is completely insecure which is compromising:

1. Confidentiality of the data
2. Integrity of the system

* better solution → hash password with MD5.
* best solution → hash password with MD5 + Salting.

[^1]: