Security for content-driven web app backends

Backend security, also known as server-side security, refers to the practices used to protect the backend components of a web application, including servers, server-side core, database, and API endpoints from threats and vulnerabilities. Security is an essential aspect of web application development since it ensures confidentiality, integrity, and availability of private customer data.

One of the advantages of using Backend as a Service products is that a lot of the threat management work is being done for you. But even the most secure backend can be made insecure by, for example, setting incorrect user permissions.

When developing a content-driven web application, it is essential to utilize programming techniques, configuration and setup best practices, tooling, infrastructure, and services to mitigate potential threats or risks. The OWASP Top Ten provides an overview of current and emerging web application security risks and how they can be mitigated on Google Cloud.

Web Application Firewalls

A Web Application Firewall (WAF), such as Google Cloud Armor, is a security solution designed to protect web applications from a variety of online threats, including common web vulnerabilities and attacks. They act as a layer between external requests and your internal systems, often integrated directly at the load balancing or endpoint where external traffic is received. They monitor and analyze incoming requests based on security policies that permit or deny traffic, blocking malicious requests and potential threats. WAFs are often used with other security measures, including regular security testing, secure coding practices, and network security controls, to create a comprehensive security strategy for web applications. Many cloud providers offer WAF services that can be integrated into web application hosting environments.

Learn more about setting up Google Cloud Armor to secure your backend.

Proxy layer for incoming traffic

An incoming proxy layer, often referred to as a reverse proxy, is a network security component that sits between client requests and web servers, applications, or services. It handles incoming requests on behalf of the servers behind it, acting as an intermediary. It provides several benefits, including security, load balancing, caching, and routing.

Managed proxy (or facade) layers refer to a network infrastructure component that is outsourced to a 3rd party provider or a managed service that oversees the deployment, maintenance, and operation of proxy servers for an organization. Managed proxy layers enhance network security, optimize performance, and provide additional networking functions. By utilizing managed proxy layers, you can offload the operational and administrative responsibilities associated with networking components, reducing the burden on in-house IT teams. These services are often scalable and can be customized to meet specific security or compliance requirements.

For example, for an externally accessible API, Apigee is a cloud-native API management platform that provides features to manage traffic, isolate requests, and enforce security policies before traffic reaches the backend.

Service best practices

Consider the security best practices for the services your application is using and follow its advice. For example, for Cloud Run make sure to authenticate your requests and secure your cloud resources. For Cloud SQL follow the best practices for configuring, architecting and managing your data.

A secret management system like Secret Manager handles secure storage, management and access to your application's secrets, such as API keys, certificates and cryptographic keys. These services can be connected to your other backend services through connectors, allowing your backend systems to access your secrets securely.

If you use any other APIs, SDKs or services in your backend, also research and follow their best practices. For example, if you use a Google Maps Platform service, follow the recommended best practices for handling API keys and protecting your application.

Monitoring and alerting, including logging and auditing access are also important aspects to consider.

The Google Cloud security best practices provide general blue prints and overviews over secure architecture and app designs. The Security Command Center includes a suite of tools for security and risk management on Google Cloud, including automated tooling to identify misconfigurations, vulnerabilities and other risks.

Development best practices

Follow the best practices for the framework and language you use to implement the backend. Most popular web frameworks have published guides and best practices to follow.

Consider automated analysis tooling as part of your development or build pipeline to help identify potential issues.

The OWASP Web Security Testing Guide provides a testing framework that is specifically targeted at web applications.