With Google officially dropping Flash ad support in favor of HTML5, the security aspect of this relatively young programming and scripting language has become extremely crucial. Being a web-based application always invites cybercrime, which means that code integrity is very important. The following article will lay down the most important Application Program Interface (API) coding practices that developers must adopt to boost HTML5 security.
Due to the extensiveness of this language, the best practices mentioned below will only address the Communication and Storage APIs, considered by many to be the most crucial to HTML5 security. The Geolocation API, Forms API and the Offline Apps API must also not be overlooked by developers. Knitted together, these APIs provide an extensive web experience unique to HTML5.
The Communication API allows HTML5 pages to communicate with each other, even when not loaded via the same domain. If done insecurely, HTML5 security is compromised.
1 – Web Messaging
Also known as Cross Domain Messaging, this API provides a means of messaging between documents from different origins in a way that is generally safer than the “hacks” used in the past to accomplish this.
2 – Cross Origin Resource Sharing
Known in inner circles as CORS, this functionality allows cross-domain communication from the browser. For optimal HTML5 security, developers should make sure to:
3 – WebSockets
The WebSocket API helps establish a persistent connection between the browser and the server. But glitches in the coding process can cause security debacles. Developers must:
4 – Server-Sent Events
This API is used for opening an HTTP connection to receive push notifications from a server.
Similar in many ways to cookies, HTML5 lets the browser save values that can outlast the web session. Events can also be transferred between browser windows. Developers must code with care.
1 – Local Storage/Offline Storage/Web Storage
With this kind of storage, HTML5 web applications can store data within the user’s web browser.
2 – Client-side Databases
There are a few APIs that come under this category – Web Storage, Web SQL Database, Indexed Database, and File Access. They help the app to be available offline, while improving performance.
All the secure practices in the world are no substitute for proper application security testing. HTML5 security hinges on proper testing, preferable during the development process. Unfortunately, this can’t be achieved with traditional security solutions such as Penetration (Pen) Testing and Manual Code Reviewing. Thats where Static Application Security Testing (SAST) enters the picture.
Static Code Analysis (SCA), a leading SAST solution, can be integrated directly into the development process. This helps detect and mitigate application layer vulnerabilities quickly, something that helps organizations save a lot of resources and finances. The solution typically sits directly in the developers’ IDE, involving them directly in the security process.
Other benefits of automating HTML5 security include:
Regardless of the aforementioned advantages of SCA/SAST, HTML5 security requires a multi-layered approach. The scanning during the development stages can and should be complemented with Pen Testing prior to release. There is also the option of implementing post release solutions such as the ever-popular Web Application Firewall (WAF), which can detect and block malicious input.
Simply put, no single security solution is perfect. Hence, implementing two or more during the various stages can help optimize the HTML5 security process. Stay safe!
To read more about HTML5 security – Click Here
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.