How to Secure Web Applications in a Static and Dynamic World

Okta sponsored this podcast.
Netlify is a popular static “Jamstack” website-hosting platform used by over a million web developers. But while Netlify is popular thanks to its simplicity, the security it offers for the static environments is of interest as well.
Web security is the theme of the latest episode in our new series “Security @ Scale” on The New Stack Makers with Okta. The series explores security in modern environments with stories from the trenches including security horror stories and fantastic failures.
In this episode, co-hosts Alex Williams, founder and publisher of The New Stack, and Randall Degges, head of developer advocacy at security services provider Okta, speak with guest Dustin Rogers, staff application security engineer, Netlify, about all things related to static web security management.
Degges noted static websites help organizations avoid much security- and other operations-related problems, and thus require less maintenance. Rogers agreed, noting that while many security best practices apply to both static and dynamic website management, Netlify can do much of the heavy lifting for DevOps teams, such as header management.
Okta Series – How to Secure Web Applications in a Static and Dynamic World w/ Dustin Rogers
The developer is ultimately responsible for security. Static websites, for example, while requiring less security maintenance and posing fewer potential vulnerabilities than dynamic websites do, still must be maintained. “I just want to make sure it’s said that security can still fall to the developer, even in the Jamstack world,” said Rogers. “But we like to think that these are made easier.”
At the same time, static sites are also typically not completely static, either. Typical “dynamic things that people want to do,” include adding forum data and forum-information storage and “pulling in information from external APIs, such as databases wrapped with APIs or pseudo database interaction,” said Rogers.
“These are some of the ways people are pulling in dynamic data into their Jamstack sites,” said Rogers.
Dynamic JavaScript (JS) frameworks, including React, can offer a number of advantages in this context. “I think the big advantage of dynamic JS frameworks, such as React, is the ability to reuse the JS code,” said Rogers. “So, it’s bundled, and we see a decrease in size, making it easier to render. This is especially true for mobile apps, because mobile environments are lighter-weight generally, and need the speed to process.”
Some of the security risks developers might make on a static website, such as with Netlify’s platform, including the use of sensitive values that remain unencrypted as query parameters.
“For years, I was starting to see less of this, but now I feel like I’m seeing it more — at a minimum, placing these inside a post form makes more sense, I think. But the reason I think people are using query parameters often has to do with portability — clickable URLs, such as those sent in marketing emails,” said Rogers. “We guarantee cache-control… but if a value is sensitive, you want, as the developer, to protect it as much as possible. That’s one thing that I see quite often that I cringe at.”