Much Time On A Secure Web Gateway. Secure web gateways (SWGs) are typically hosted behind a firewall or proxy server. They provide access to sensitive data such as credit card information or customer records. SWG providers also offer additional security features such as encryption, authentication, and strong password requirements.
While building a secure web gateway is a complex task, there are several common mistakes that can easily be avoided.
This article highlights the top five ways to build a secure web gateway.
1. Avoiding Spoofing Attacks
Most web applications are subject to spoofing attacks. The web application may display a user’s session ID in the URL, which makes it vulnerable to hijacking. In this attack, the attacker intercepts the login request and directs the user to a malicious page instead of the legitimate page.
This can be prevented with a simple check for the X-Forwarded-For header. When this header is present, the IP address should be compared to the value in that header. If there is no match, then the request should be rejected.
2 . Making Sure Credentials Are Stored Securely
Passwords that are stored in a database are vulnerable to brute force attacks. In this type of attack, an automated program tries every possible combination of characters until it finds the correct one. To protect against brute force attacks, make sure you have an account lockout policy in place.
Password hashes should not be stored in any kind of readable formats such as plain text or cleartext. However, this doesn’t mean they need to be encrypted either. MD5 hashes are a great option here because they’re fast and extremely difficult to reverse engineer.
3 . Protecting Sensitive Information In The URL
Many web applications include user credentials in query strings or URLs. This is a vulnerability because HTTP is unencrypted and anyone who can intercept traffic between client and server can view these credentials.
To prevent this vulnerability, always use HTTPS with your web application. If your application cannot use HTTPS, then consider using query string parameters instead of URL parameters if at all possible (and still maintain compatibility).
4 . Sending Sensitive Data Over Unencrypted Connections
If your application sends sensitive data over an unencrypted connection, it can be intercepted and potentially decrypted by anyone who has access to it. This means data transmitted over HTTP is vulnerable by default.
However, even HTTPS connections can be at risk if not configured correctly. Typically, this happens when developers don’t use SSL termination before sending data to another server (unless there’s a good reason why they shouldn’t).
5 . Using Custom HTTP Headers Instead Of URI Rewriting
URLs containing custom HTTP headers are vulnerable to some types of attacks that can cause redirect loops and other issues with non-standard browsers/browsers on mobile devices or older operating systems such as IE6 & 7 on Windows XP.
In order to protect against these issues, it’s always better to rewrite the URI using a server-side language such as PHP or ASP.NET rather than relying on custom HTTP headers.
Conclusion: Much Time On A Secure Web Gateway
If you take these 5 steps into account when designing your web application, then you’ll have a much better chance of building a secure web gateway.