Security in Web applications

Web application security remains to be one of the primary objectives in web application development. In this project, I have implemented several security measures as a demonstration of how Web application security can be achieved.

  • Account Lockouts – This mechanism protects the application from brute force attacks.After four failed login attempts, the application locks the user's account and blocks the corresponding IP address for acool-down-period of six hours, preventing subsequent login attempts till then.
  • Role based Access – This a common feature in most enterprise systems whereby we have different users and different system privileges. In this application I have implemented only two user types“admin” and “local user” the admin can view the dashboard, however since this is not an enterprise system, local users can change their user type to admin in the settings page.
  • Data Masking – Implemented on the dashboard, this feature ensures that only the user's first name and part of their email address are displayed. This measure helps protect sensitive user information from exposure even to administrators.
  • Error Masking – the application communicates to its user using sensible generic error messages therefore protecting the application against fuzzing attempts by malicious users enhancing data security in the long run.
  • Form Validation – both server-side and client-side form validation have been employed to ensure that data received from its users is consistent. This has also aided in preventing SQL injection attacks from malicious users.
  • Session Encryption – Session cookies have been encrypted using the JWT strategy to prevent interference from its users and to persist user login statuses.
  • Bot detection and prevention – the application is integrated with Google reCAPTCHA API to aid in bot detection and therefore prevent bot request and interactions.