Web application security - the fast guide 1.1 | Page 31

Chapter 2 - Web Application technologies
P a g e | 31
HttpOnly is another attribute that prevent client side java scripts from accessing
cookies information directly and restrict access to http only.
2.2.5 Securing HTTP:
One problem of HTTP protocol that it sends the contents in plain text mode so it
will be easy for anyone eavesdropping on line to be able to disclose or alter the
sent messages thus it is important to find a way to secure HTTP messages.
The most common approach is to use HTTPS protocol which depends mainly on
tunneling HTTP messages through secure socket layer protocol (SSL) in order to
apply encryption and hashing functionalities to assure messages confidentiality
and integrity.
Http authentication:
Http protocol itself has three main methods to provide authentication services to
different users:
 Basic: original and most compatible authentication scheme user
credentials are sent with each request in Http header encoded as Base46-
encoded string the less secure scheme.
 NTLM: designed by Microsoft a challenge-response mechanism uses a
version of the Windows NTLM protocol originally had problem but
recently resolved it considered more secure than digest scheme.
 Digest: added in version HTTP 1.1 .authentication is more secure than
basic authentication as it never transfers the actual password across the
network, but instead uses it to encrypt a "nonce" field value sent from the
server.
2.3 Client side functionalities -HTML
HTML stands for Hyper Text markup language. It is tag based language with the
main functionality to set the presentation structure of the document specifying
how the document is going to be render by the browser.
HTML were amended frequently and new version were developed the current is
HTML5 which has a special capability to deal with multimedia contents and
enhance searching ability by adding semantic tags.
Other standards were also developed like XHTML which allows a strict control
over HTML syntax as XML based document.