Security is a very broad topic and it covers many aspects. Due to the scope of this book, we will mainly focus on the security that a web application needs to take care of, which includes authentication, authorization, and preventing attacks such as Cross-Site Scripting (XSS) and SQL/NoSQL injection. Topics such as how to secure a server or how to prevent a distributed denial-of-service (DDoS) attack will not be covered here.
So, how do we secure a web application? It really comes down to three aspects:
- Authenticating users
- Authorizing users
- Preventing attacks
Let's take TaskAgile as an example. We want only those users that we have authenticated to access the application. So, people will need to log in to the application before using it, except the register and the login page, which are accessible publicly. We also want to limit the resources that authenticated users can access to only those that they have been authorized for. For example, they should not be able to edit others' personal information or view the cards of boards that they haven't joined yet. We will also want to prevent attacks from malicious users. Let's get into these three aspects in detail.