Security and Attack Mitigation

Content Security Policy (CSP)

Colectica Repository uses CSP headers to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. CSP makes it possible for server administrators to reduce or eliminate the vectors by which XSS can occur by specifying the domains that the browser should consider to be valid sources of executable scripts. In addition to restricting the domains from which content can be loaded, the server can specify which protocols are allowed to be used.

Strict Transport Security

The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

Parameterized Command Strings

All Colectica products that interact with a database and use user input do so in a secure fashion.

A SQL command string that is built from user input is vulnerable to SQL injection attacks. In a SQL injection attack, a malicious user supplies input that alters the design of a query in an attempt to damage or gain unauthorized access to the underlying database. Typical techniques include injection of a single quotation mark or apostrophe, which is the SQL literal string delimiter; two dashes, which signifies a SQL comment; and a semicolon, which indicates that a new command follows. Since user input must be part of many Colectica queries, all Colectica database access uses parameterized command strings to eliminate the risk of attack.

Anti-Cross Site Scripting Library

Colectica Portal uses the Microsoft Anti-Cross Site Scripting Library to protect users from Cross-Site Scripting (XSS) attacks.

XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

  • Colectica uses the Microsoft Anti-Cross Site Scripting library to prevent XSS attacks.

  • Colectica limits the display of user created content to information created by authenticated users and uses whitelists of allowable text elements.

  • Colectica supports a read-only view of Colectica Portal, eliminating all web user generated content.

Note

Thanks to Mozilla MDN for definitions of several web security features.