Web-based Wallet security practices

• Background:
  • Based on Web-Based Self-Custody Wallets Have More Security Risks Than You Might Think (Some Are Unsolvable in the Short Term, I think we need to try to document known security risks and hopefully find ways to mitigate them.
  • ⚠️ Note: This document focuses on security practices specific to the Web-based Self-Custody Wallet and will not cover regular web attacks (but this section is so important that you should not overlook it if you want to learn more).

List

When I was gathering information on security, I found that owasp.org has a lot of relevant research. I recommend checking it out.

• ‼️ browser extension risk

  • As of now, apart from advising users to disable browser extensions, there is no effective way to prevent the use of browser extensions!

• prototype pollution

  • Creating object with Object.create(null)

    • var _obj = Object.create(null);

  • Freezes an object with Object.freeze()

    • Object.freeze(obj);

  • Never use eval()

• software supply chain attacks

  • ‼️ Building Web with LavaMoat

• DNS over TLS (DoT) or DNS over HTTPS (DoH)

• Content Security Policy [Level 2] [Level 3]

  • default-src

    • Associated risk:

      • Cross Site Scripting (XSS)

    • The default-src directive serves as a fallback for the other fetch directives

    • suggest:

      • default-src 'self';

  • connect-src

    • Associated risk:

      • Cross Site Scripting (XSS)

    • suggest:

      • connect-src 'self' https://*.someAPI.com;

  • frame-src

    • Associated risk:

      • Cross Site Scripting (XSS)
      • UI redress attack

    • suggest:

      • frame-src 'none';

  • frame-ancestors

    • Associated risk:

      • UI redress attack

    • Refer: X-Frame-Options

    • suggest:

      • frame-ancestors 'none';
        X-Frame-Options: DENY

  • img-src

    • Associated risk:

      • Cross Site Scripting (XSS)
      • UI redress attack

    • suggest:

      • img-src 'https://*';

  • media-src

    • Associated risk:

      • Cross Site Scripting (XSS)

    • suggest:

      • media-src 'https://*';

  • object-src

    • Associated risk:

      • Cross Site Scripting (XSS)

    • suggest:

      • object-src 'self';

  • script-src

    • Associated risk:

      • Cross Site Scripting (XSS)
      • DOM Clobbering

    • suggest:

      • script-src 'self';

  • worker-src

    • Associated risk:

      • Cross Site Scripting (XSS)

    • suggest:

      • worker-src 'self';

• Cookie - SameSite

  • Associated risk:

    • Cross-Site Request Forgery (CSRF)
    • UI redress attack

  • suggest:

    • SameSite=Strict

• Subresource Integrity (SRI)

  • Associated risk:

    • Subresource Integrity attack

  • suggest:

    • <script integrity="sha384-xxx"...
      <link integrity="sha384-xxx"...

• postMessage origin

  • Associated risk:

    • Cross Site Scripting (XSS)

  • suggest:

    • window.addEventListener('message', function(event) {
        if (event.origin !== 'https://yourWeb.com') {
          return;
        }
      });
      
      otherWindow.postMessage(message, 'https://yourWeb.com');

• X-Content-Type-Options

  • Associated risk:

    • MIME Confusion Attacks

  • suggest:

    • X-Content-Type-Options: nosniff

• HTTP Strict Transport Security (HSTS)

  • Associated risk:

    • manipulator-in-the-middle attack (MitM)

  • suggest:

    • Strict-Transport-Security: max-age=86400; includeSubDomains

Refer

1. web security
2. developer.mozilla.org - Web Security
3. cheatsheetseries.owasp.org - AJAX Security Cheat Sheet
4. portswigger.net - Prototype Pollution
5. medium.com - Creating object with Object.create(null)
6. developer.mozilla.org - Object.freeze()
7. crowdstrike.com - Software Supply Chain Attacks
8. github.com - LavaMoat
9. cloudflare.com - DNS over TLS (DoT) or DNS over HTTPS (DoH)
10. w3.org - Content Security Policy [Level 2]
11. w3.org - Content Security Policy [Level 3]