I participated a webinar about security of webapps. Here is a short summary about some of the things they covered:
- If a there is a multi-stage (upload) process of user data (e.g. images) bind the data to user-session and delete not finished or canceled uploads when user session expires.
- Use httpOnly and secure attributes of cookies. HttpOnly protects cookie from being accessed via JS and can be used if you need that cookie only on server side, e.g. session information
- Change session id if a user logs in to avoid session hijacking
- To avoid clickjacking (displaying your website in a foreign iframe and abusing the clicks of your user) use x-frame-options and framebusting JS
- Never save PHP / Java serialized data at the user (e.g. cookie) and unserialize again. Use JSON instead.
In the end all those things are quite obvious but I think that is good to repeat even obvious things from time to time. 😉