folder Filed in Development

How to secure Dapps running in the browser

связка cloudflare + content security policy + DNSSEC дает небывалый уровень защиты
Aleksandr Noxon comment 0 Comments

This post is also available in: Русский (Russian)

How to secure DAPPS running in the browser

1) Many people think that applications running in the browser are not secure
2) However, if you hack the user’s browser, the user will suffer, if you hack the server, everyone will suffer
3) No one is protected from “man in middle” attacks,
4) but if all your critical logic is stored in the browser, you have to protect static content only
5) Cloudflare, which has invested millions of dollars in the security infrastructure, is best suited for this purpose
6) First of all, activate DNSSEC, which will minimize the threat of a server substitution attack, it’s free
7) Then write the “integrity” attribute to all the JS scripts on the page (this attribute contains hash of the JS code, it will be needed later to distinguish the scripts modified by the hacker)
8) In Cloudflare, configure worker (5$/month) which can modify the headers sent to the user’s browsers
9) Learn how the Content-Security-Policy: script-src ‘sha256’ header works
10) Configure the white list of hashes in worker from p. 7
11) After that, whatever happens, for example, server hacking or DNS substitution, even if a hacker can make changes to the page, it will simply cease opening in the users’ browsers and no one will suffer

cloudflare dapp security