Important points to consider for

Performance Optimization and

Security Enhancement of Web
Application

Table of Contents
Introduction: ......................................................................................................................................... 2
Application security: ........................................................................................................................ 2
1.1 Use HTTPs : .......................................................................................................................... 2
1.2 Strict Transport Security Header: ............................................................................................ 2
1.3 Encryption of Data ................................................................................................................. 2
1.4 Disable data caching............................................................................................................... 2
1.5 Limit the use and storage of sensitive data .............................................................................. 2
1.6 Automate Application Deployment ......................................................................................... 2
1.7 Don’t Hard code credentials ................................................................................................... 2
1.8 Don't disclose too much Information in Error Messages ......................................................... 3
1.9 Design Review ....................................................................................................................... 3
1.10 Code Review ........................................................................................................................ 3
1.11 Security Testing .................................................................................................................... 3
1.12Don’t use unvalidated Forwards and Redirects ...................................................................... 3
1.13 Session management ............................................................................................................ 3
Performance ..................................................................................................................................... 3
1.14 Practice Coding Standards: ................................................................................................... 4
1.15 Database Optimization ......................................................................................................... 4
1.16 Implement secure cache of data ............................................................................................ 4
1.17 Data Validation ..................................................................................................................... 5
1.18 Reduce number of plugins and dependency jars:................................................................... 5
1.19 Code reuse ........................................................................................................................... 5
1.20 Exception Handling .............................................................................................................. 5
1.21 Code Review ........................................................................................................................ 5
1.22 Host application in a dedicated Environment ........................................................................ 5
Introduction:
As everyone knows security and performance are playing a vital role while developing any
application. This document explains about some of the basic key points to be noted when we develop
any web applications.

.1 Application security:
.1.1 Use HTTPs :
Ideally HTTPs should be used in entire application and make sure the same URL is not
accessible via the insecure HTTP channel. HTTPS certificate should be signed by a reputable
certificate authority. The certificate should be valid and not expired.

.1.2 Strict Transport Security Header:

Strict transport security header ensures that the browser does not talk to the server over HTTP.

.1.3 Encryption of Data

User passwords must be stored using secure hashing techniques. Encryption key should be saved
and exchanged over secure channel. Implement virtual keyboard whenever the user needs to enter any
sensitive information. It will help to protect from Trojan programs and also to reduce the risk of
password theft.

.1.4 Disable data caching

Browser data caching should be disabled using the cache control HTTP headers. Additionally
sensitive input fields i.e username and password

.1.5 Limit the use and storage of sensitive data

Conduct an evaluation to ensure that sensitive data is not being unnecessarily transported or
sorted. Where possible, use tokenization to reduce data exposure risks.

.1.6 Automate Application Deployment

Automating the deployment of your application, using Continuous integration and continuous
deployment, helps ensure that changes are made in a consistent, repeatable manner in all environments.

.1.7 Don’t Hard code credentials

Never allow credentials to be stored directly within application code. Hard coding credentials
significantly increases risk and should be avoided.
.1.8 Don't disclose too much Information in Error Messages
Messages for authentication error must be clear and, at the same time ,the sensitive information
about the system is not disclosed example, if username is valid and password is incorrect, confirms the
attacker that the account is exist, Instead of can mention invalid credentials.

.1.9 Design Review

Conduct a risk review with security professionals and threat model the application to identify the
key risks.

.1.10 Code Review

Security focused code review can be one of the most effective way to find security bugs.

.1.11 Security Testing

Conduct security testing both during and after development to ensure the application meets
security standards.

.1.12 Don’t use unvalidated Forwards and Redirects

An unvalidated forward can allow an attacker to access private content without

authentication.Prevent these by conducting appropriate access control checks before sending the user to
given location.

.1.13 Session management

Session tokens must be generated by secure random functions. Session tokens should be
regenerated when the user authenticates to the application, If the user is not active the application
should automatically log the user out. By implementing an absolute session timeout, helps mitigate the
risk of attacker using a hijacked session. When the user logs out of application the session and
corresponding data on the server must be destroyed.

.2 Performance
How security is imported same like that performance also has a big value in each application
development. Even site ranking is considered by the speed of website. End of day as a developer need
to focus more about customer satisfaction and user experience. The better your application performs
the more satisfied a user will be. Loading time will define performance of your application.
.2.1 Practice Coding Standards:
Coding standards make the code consistent, and reduce the number of errors. The advantage of
following coding standards are given below
i. Enhance Efficiency
ii. Risk of project failure is reduced
iii. Less complexity
iv. Easy to maintain
v. Bug rectification
vi. Cost efficient

Ref link:https://medium.com/@rhamedy/a-short-summary-of-java-coding-best-practices-
31283d0167d3

.2.2 Database Optimization

Database optimization is an effective way to increase the performance. Consider optimization of

the SQL queries and load time for each query invocation is important. Below are the few tips for tuning
database performance.
i. Create optimized indexes
ii. Select limited data instead of fetching complete table data
iii. Provide proper `where` clause
iv. Avoid foreign key constrains

Ref Link https://www.toptal.com/sql-server/sql-database-tuning-for-developers

.2.3 Implement secure cache of data

Caching is about storing data for future reference. Frequent hits to data base is time
consuming and costly. Analyse in the requirement, where you need to implement cache system or what
kind of data can we store in cache. Please refer the below link o understand spring cache system.
https://howtodoinjava.com/spring-boot2/spring-boot-cache-example/
.2.4 Data Validation
Validate the request data before start processing. Due to which you can save the time of
unnecessary execution of codes.

.2.5 Reduce number of plugins and dependency jars:

Plugins and dependency jars are common components when we implement an application.
Unfortunately, the more plugins are installed, the more resources needs to run them. As a result the
website works slower and also security issues are appear.

.2.6 Code reuse

The main advantage of code reuse-ability to reduce the number of source code, potentially
decreasing both development and maintenance cost.
Some advantages of code reuse:
i. Avoid code duplication
ii. Easy to maintain the code
iii. Reduce source code
iv. Cost effective
v. Shorter development time

.2.7 Exception Handling

Ensure to implement proper exception handling in each service, which will help you to run your
application smoothly. If you don't handle errors, your program may crash and will be difficult for the
other development to analyse it.

.2.8 Code Review

Code review is a phase in development process. Finding and correcting error at this stage is
relatively inexpensive. It may especially productive for identifying security vulnerabilities.
SonarQube is an open source platform and is used to manage source code quality. It makes
management of code quality possible for any developer in the team. You can install and configure
sonarqube in eclipse as a plugin.

.2.9
.2.10 Host application in a dedicated Environment

By choosing a dedicated environment for the application, can lead the performance and
scalability.
Few advantages of choosing a dedicated environment to host the application is given below:
i. Server resources are not shared
ii. Enhanced performance and security
iii. Flexibility
iv. Unique IP address