JavaScript, developed by Netscape in the late 90s, has evolved into one of the most well-known and widely adopted programming languages to date. It was originally developed with the intent of adding interactive and dynamic elements to websites, enabling more complex features and better user experience. JavaScript conforms to ECMAScript specification, ensuring the interoperability and coding standards of web pages across different web browsers.
JavaScript, now used in over 90% of all websites, is present on most pages you visit. If you are on a web page and your screen is displaying anything other than a still image (content updates, scrolling through videos, gifs and animated images), then it’s a safe bet JavaScript is involved. JavaScript can also be utilized for your server-side technology, for example using Node.JS, but this article will stick to client-side security practices.
While JavaScript is a well-practiced programming language and present in the majority of websites, because of how it is designed (including loose typing and other things), some are hesitant to involve it.
Its evolution has adapted to overcome this, however, with ECMAscript definitions allowing for more structure, as well as things like TypeScript to allow developers to overcome their woes of loose typing This article will look at a selection of threats to JS, and some of the best practices for JavaScript security in 2020.
Table of Contents
Open Source !== Secure
It’s imperative to trust the vendors of your dependencies when using third-party packages in your development process. Developers tend to trust the idea of open-source software as ‘they can check the source’. However, there’s no guarantee that the source code visible online is actually the code downloaded into your system as a dependency.
With this in mind, it’s critical to ensure that you trust the vendors of your dependencies. Some companies prefer to only play with the huge players in the game, and will only with full-fledged frameworks that can offer most of the functionality that a website would ever require, such as jQuery, React, and Angular.
The downside to this approach however is that you often end up downloading more than you actually need and a user will end up downloading 400kb of files that they don’t need every request (depending on caching). – To assist with this, packages are being split, for example, jQuery has been shrunk massively in recent times, and jQuery core is now a thing.
Cross-Site Scripting (XSS)
One of the most common issues with JavaScript security is cross-site scripting. Cross-site scripting vulnerabilities enable hackers to manipulate your site and can send malicious content, which can have any desired effect of the hacker, to execute on the client’s side and deliver malicious scripts to visitors.
If XSS issues are not resolved, they can result in malware spreading, account tampering, data theft, and even remote control over a user’s browser. There are many ways to remedy XSS, including escaping data, validating input, and sanitizing.
But to ensure your site is protected from this, you should stick to other security practices. OWASP, (Open Web Application Security Process), in an online community that offers free tools, tech, and code in regards to web application security.
Always use TLS certificates for communication with servers
When communicating with a server, it’s crucial that you use “https” to secure your information. A “Http” certificate is installed on the server itself and allows secure information transfer between your website (the client), and the functionality that processes your information (the server).
When using an “Http” certificate, a handshake is done between the client and server, ensuring that the correct encryption keys are used to secure the data between client and server. The client uses a public encryption key to encode the information sent which is in turn sent to the server, which uses a private decryption key that only the appropriate servers should have in order to turn the encrypted information back into a readable format.
Certificates are not a new thing, and many sites still have SSL certificates set up. Unfortunately, these are no longer considered secure and even if a website is set up with certificates, you should ensure that you are using TLS version 1.2 at minimum.
Avoid URL Injection
URL Injection occurs when a programmer/hacker has produced/injected brand new pages or assets on an already existing website. These pages can usually contain specific code that reroutes users to a different site or can potentially involve the business in attacks against other sites. These injections can be made through malware and software vulnerabilities, unsecured directories, or plug-ins.
Google’s Search Console is a possible way of identifying these pages, but nothing will beat manually checking. As soon as the affected pages have been identified, the pages should be changed to either protect the URL’s vulnerability, or the data source moved to something better for data transfer, like cookies or sessions. To prevent URL injection happening, you should protect your site with an adequate Firewall or use a gateway to route traffic on your website, this could act as a blanket to avoid any potential mishaps.
Use CORS Headers
Headers are parts of the packet of data transmitted in web technologies and are attached to every request to and from a server. Headers are used to describe requests and responses and often contain additional information related to the request, such as information about the current user or the menu items to display.
On a website, requests are made to many assets as each page loads, examples of which include a font, image, audio, etc. CORS (Cross-origin resource sharing), are headers you are able to create yourself which specifically defines the sources requesting information and checks if it is authorized to reference the resources of your website.
This means that servers must execute ways to manage any requests from outside sources from the origin. – In short, it will ensure that your google fonts always come from Google, and not from any nasty third parties trying to redirect your requests!
Touching on just a few precautions you can take to enable total JavaScript security on your site, we’ve given you the information you need to start improving your own website security. While each of these are adequate steps to take to protect your site, the best way to ensure security is to follow all JavaScript practices.