Usability is a whole article, let's focus on where security fits into user-interaction end of design.
What are we concerned about? User Input, malicious or otherwise.
Starting with web input, three things we can do: reduce, restrict and sanitize.
Reduce: data from forms or URL parameters is not trusted, don't allow it unless you need to! Users are a trusting bunch, don't let them down: ENFORCE SSL. Don't even allow http access.
Restrict: Input can be restricted to a certain set; length, character format, value options. Value options are safest, instead of directly passing on input, convert it to one or more values in a server-side list. Examples include address fields, product codes, etc.
Setting javascript or form validation, e.g. using maxlength or specifying select options, means nothing if we don't enforce validation on the server!
Compare expectations to input instead of using it directly;
if ("expectedData".equals(request.getParameter("data")) {}
Not:
String data = request.getParameter("data");
Sanitize: If you must pass on user input, then sanitize. Here's a simple trick, use Commons Validation library: check every field for alphanumeric only.
There's a list of XSS protection tricks at OWASP.
Authentication
Do you use cookies for session authentication? If so, are you using them well?
Use the maximum amount of cookie information to protect your users.
- Restrict the cookie to your own domain
- use the secure flag (of course you're using HTTPS)
- restrict to HTTP only, requires JDK 6 - see http://www.owasp.org/index.php/HTTPOnly
Posts
