How to launch secure web applications without being a security expert


Launching a web application is not just about completing the development of the web app and making it available for use. Aside from ensuring that your app works fluently and is free from bugs, it is also important to ensure that it is secure now and in the future. You certainly wouldn’t want any service outage at any unexpected point as this could mean loss of income and a damaged reputation. Likewise, you wouldn’t want these web apps to be exploited by online hackers.

The following are useful methods to ensure that you are able to launch web applications that remain secure. These are very basic but effective methods so you don’t really need to be a web security expert.


First, what is HTTPS? Isn’t this that five-letter prefix you find on a URL or web address? Yes, it certainly is and it is definitely something you need to know and learn to use if you are launching web applications. HTTPS is a protocol that ensures secure communication online. It is designed to protect sensitive, confidential, and personal information by encrypting traffic between a client and server.

Using HTTPS is advised as it provides protection against a variety of attacks including sniffing, eavesdropping, and man-in-the-middle attacks. It is considered as one of the best methods for securing web apps and websites in general. Even Amazon’s Developer page particularly recommends the use of HTTPS to protect web apps. Google is also now strongly recommending general use of HTTPS on all websites and will even be using it as a ranking signal.

Forcing SSL and supporting it with Perfect Forward Secrecy

SSL or Secure Sockets Layer is a cryptographic protocol designed to enable communication security over the web. It is typically considered as a performance bottleneck but it does not really cause that much of a performance issue for web apps. There is no reason not to force SSL for all connections.

To fortify the protection afforded by SSL, it helps using perfect forward secrecy, wherein a public-key system generates random public keys for every session without using any form of deterministic algorithm for the purpose of key agreement. With perfect forward secrecy, a compromise in one message cannot lead to compromises in others. It is even said to be capable of blocking NSA from secure web pages. Perfect forward secrecy is particularly recommended for web applications that involve large flows of information, delicate or sensitive information in particular.

Using HTTP Strict Transport Security

If you are already using SSL, it is recommended combining it with HTTP Strict Transport Security or HSTS, a web security policy mechanism that requires user agents such as web browsers to interact with the app only though HTTPPS connections. HSTS is an IETF standards track protocol that is mostly applicable in fixing SSL-stripping man-in-the-middle attacks. HSTS is the kind of protection employed when an HTTP prefixed URL is automatically converted into an HTTPS. It also makes a browser remember the conversion to HTTPS to make page loading faster the next time around.

Whitelists of allowed remote resources

Setting a whitelist of remote resources to be allowed is helpful in preventing remote codes to be injected and executed on a web application. For a new web application, this can be easily done since you just have to block everything and allow specific URLs as desired. Whitelisting resource IPs can be done at many levels including your hosting provider or even your website’s .htaccess file.

Proper password and login resets

While a password or login is the primary protection you may have for your web app, it can become compromised if you don’t ensure that resets are properly done. There’s a reason why there are many steps involved in resetting passwords for online accounts such as Gmail, PayPal, and even Facebook which also allow for two-factor authentication. They don’t just let users reset passwords in one simple step. There are expiring links or codes to be clicked or inputted before the password resetting process can be initiated.

Multi-factor authentication

For certain web apps that require more than just the usual protection, it is also possible to add other factors for authentication. This could be an authentication code required in addition to the username and password or transaction codes or passwords required by some banking apps. Multi-factor authentication is advisable to protect crucial processes or events like deletions and account modifications. It is effective against account hijacking.

Code analysis tools and security audits

You can never be too sure about the security of your web applications. Even if you exercise all the precautions deemed necessary or follow all rules defined for your programming languages, there’s nothing wrong with having your code evaluated by code analysis tools or by third party security audits. For more serious web apps, it helps seeking the help of external security consultants since in reality it’s almost impossible to cover all bases on your own and spot all existing vulnerabilities. These analyses and security audits enable the early detection of vulnerabilities and the reduction of the need for post-production security patches and fixes.

You don’t have to be a security expert to implement these web app protection solutions. If you are able to build and launch a web app, the solutions mentioned above shouldn’t be difficult to utilize. The use of code analysis tools and security audits, in particular, will prove to be very valuable in your security arsenal.

Photograph by Michael Himbeault

Leave a Reply