At Aviary, we strive to not only provide our users with a seamless, fast, and fun photo editing experience, but also to safeguard our users and the personal data that is entrusted to us. Recently, the engineering team has undertaken the task of migrating the existing Aviary website to an entirely new backend with revamped databases and code base. This was done primarily to upgrade the existing site to support new features and functionality which we will be rolling out over the coming weeks. However, a parallel goal of this conversion process was to improve the security of our online Aviary accounts and better protect the users who visit our site. Since we were basically starting from scratch, it was a perfect opportunity to review our code from a security perspective. In this post, I would like to provide an introduction to a number of the security measures we take, as well as a brief background of the threats we are protecting against.
Full HTTPS Support
With the latest release of our website, we now use site-wide HTTPS by default for every page, even pages unrelated to a user's account. This feature greatly improves security by preventing other users on the network from eavesdropping on the traffic between Aviary’s servers and its visitors. We now also redirect all non-HTTPS pages to their respective HTTPS versions, essentially forcing the use of this security feature. Besides the enhanced protections this provides, it may also help us improve our search ranking on Google, as the search engine recently announced that they will begin favoring sites that utilize this protocol.
Cookies
Like almost every website on the modern web, Aviary makes use of cookies, small files stored on the user's computer to save information about the visit and maintain the state of the user's workflow. Of most importance, from a security standpoint, is the session cookie, which contains the long, random string of characters used by the web server to identify a user who has logged into the site. Without the use of a session, a user would have to log into every page he or she visits in order to re-authenticate with the server - quite the hassle. To coincide with the rollout of full HTTPS support, we are also now using the "Secure" and "HTTPOnly" flags on the session cookies of our site. These two flags tell the browser that the cookie cannot be passed over insecure connections (preventing attackers from fully utilizing SSL-stripping attacks) and also that cookies cannot be accessed from within the code of the page (useful in cases where attacks attempt to steal the user's cookie).
X-Frame-Options
There is an old HTML element on the web called an IFRAME. Essentially, an IFRAME allows one site to embed another site within its pages, while still controlling the outer frame. In the realm of security, IFRAMEs present a threat because they allow attackers to easily trick visitors to a malicious site into thinking they are actually visiting the real site. At the same time, an attacker can overlay hidden elements over the real site to capture any input the user enters, such as usernames and passwords. To prevent a site from being “IFRAMEd,” our website now includes the header "X-Frame-Options DENY." This header tells the browser that the site cannot be loaded from within any other page.
More Enhanced Password Hashing
When you enter your password to log into the Aviary Developer account page, it undergoes complex hashing using the most recent best practice bcrypt hashing algorithm. This technology creates a one-way hash of your password that is extremely time consuming to crack using current hardware. If an attacker were to steal your account’s password hash, it would take over thirty years to crack a relatively uncommon password.
Strict Transport Security
Another server header that was enabled to work with HTTPS support is the “Strict Transport Security,” or “STS” header. This header tells the browser that the page cannot be sent over an insecure connection, helping to prevent attackers from intercepting your connection and removing the encryption that HTTPS provides. This header is now used across our website.
CSRF Tokens
Whenever a user submits a form on the web, the web server should ensure that the data being submitted is actually coming from a legitimate request made by that user. Cross-site request forgery, or “CSRF,” is a security threat where an attacker is able to submit a form as if he or she were the user. Without getting into too many technical details, this is often done by creating the form’s data ahead of time on a malicious site and using the user’s session with the legitimate site to submit that data, usually in the background. CSRF tokens prevent these kinds of attacks by rendering a unique, one-time token with the form on the legitimate site, which must be included in the subsequent response by the user. This process aids in verifying that the request made is actually coming from a direct result of the user’s actions. These tokens are now included around Aviary’s website, helping to ensure that every request is a legitimate one.
Continued Security
We are committed to continually improving the user experience for all users of Aviary. Of course, you should continue to practice a proactive approach to your own account security; never reuse passwords from other websites or use easy-to-guess passwords. And, as always, feel free to contact us if you suspect your account has been used without your knowledge.