Recently an old friend Philip Tellis posted an article on web application security for developers. Even when you are security conscious and use tools to protect yourself, you can become a victim of security breach as I have posted in this article. That made me thinking what as a user of the web applications you should be doing to secure yourself against various on-line attacks?
Here are some tips and tools you should use to secure yourself while you are on-line.
Protection against Cross-site scripting (XSS), Cross-site request forgery (CSRF/XSRF), Clickjacking :
I found Firefox with NoScript extension very useful in protecting me against the above attacks. With this extension you just allow the site/domain you are visiting to load JavaScript(s). This way you are eliminating possibility of loading scripts from the sites outside the page you are visiting. NoScript provides you with complete control of loading of JavaScript(s) on a web page.
Choose a secure browser:
I strongly recommend that you use more secure browsers like Firefox or Chrome. These browsers are open source and known to have better security track record in finding and fixing security related issues faster. Also keep these browsers updated regularly for any security related other bug fixes.
Choose a secure OS platform:
I use GNU/Linux as OS on my Desktop. This provides me added level of security as this OS is designed as multi-user system which automatically restricts permissions to system files from normal users. This helps in restricting spread of virus and other malwares that threaten your security and privacy on-line.
Keep separate profiles:
I use Firefox as my primary browser for all my on-line needs. Firefox supports multiple profiles and private browsing. I have created multiple profiles for my different needs. I have profile for my emails, net banking and other financial transactions. This profile is loaded with strict security in mind and starts with private browsing mode by default. That way no passwords, cookies, sessions and cache is stored on my system when I close the browser. I also do not click directly on links that I receive via email, IM or social networking feeds. I generally copy the link and open the link in a general profile.
I have separate profile for my general browsing needs. This profile is little less restrictive bus still loaded with NoScript. This way any rouge or compromised web sites will not have access to my sensitive information.
Use secure pages for logins:
Wherever, a site offers secure (HTTPS) and non-secure (HTTP) for a login page prefer secure page. One such notorious site is IRCTC Rail Ticket booking site.
Use strong passwords
Many sites today requires you to login to transact business. Use passwords that are mixture of Capital and small letters and numbers and punctuations.
Keep different passwords for critical and non-critical sites.
You
Cross-site scripting (XSS)