> For the complete documentation index, see [llms.txt](https://exploitminder.gitbook.io/web-application-security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://exploitminder.gitbook.io/web-application-security/8-web-security.md).

# 8- Web Security

## Core defences mechanisms

1. Handling user access
   * prevent users from gaining unauthorized access.
2. Handling user input
   * Sanitize user malicious input from causing undesirable behaviour.
3. Handling attackers
   * taking defensive and offensive measures to frustrate the hacker.
4. Managing the application
   * enables the administrator to monitor activities along with managing configuration logs.

## HTTPS

{% hint style="info" %}
HTTPS uses an encryption protocol to encrypt communications :

Secure Sockets Layer (SSL) → Transport Layer Security (TLS).
{% endhint %}

#### **Secure Handshakes**

steps:

* Establish connections
* check public keys + certificates (in the client's browser )
* key exchange encrypt/decrypt using
* Connection established
* Request - Response

The figure illustrates the idea more:

#### Certificate

X.509 certificate, contains:

* used algorithm
* Information about public keys
* the domain it was issued for

The figure illustrates idea more:

#### **Certificate Authority (CA)**

{% hint style="info" %}
[CA allows users to place their trust in the certificate since a trusted, independent third- party signs it.](#user-content-fn-1)[^1]
{% endhint %}

CA primary role is to validate that the requester of the certificate is who they claim to be.

by issuing and singing containing the public keys.

* A certificate signed by any of CAs will prevent the warnings and increase the confidence that the server is who they claim to be.

#### **Data Storage (Passwords) - Security Best Practices**

* Storing Password in Plain Text is completely insecure which is compromising:

1. Confidentiality of the data
2. Integrity of the system

* better solution → hash password with MD5.
* best solution → hash password with MD5 + Salting.

[^1]:


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://exploitminder.gitbook.io/web-application-security/8-web-security.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
