At which tiers of a web application should developers enforce security?

Question

BlackTom AI · Accepted Answer

Defense-in-depth requires enforcing security at every tier: client/server communications, the application layer, and the database layer.

1) Relevant knowledge points and concepts
- Transport security (encrypted client/server communications): use TLS/HTTPS with proper certificate validation to protect data in transit from eavesdropping and tampering.
- Application-level password/security controls: enforce strong authentication, password hashing (bcrypt/argon2 + salt), input validation, session management, and authorization checks to prevent logic and credential attacks.
- Database-level protections: encrypt sensitive data at rest, use least-privilege access controls, and audit/log database access to limit damage if the application is breached.

2) Step-by-step reasoning
- Step 1: If communications are not encrypted, attackers can capture credentials in transit even if they are hashed at rest. Therefore transport encryption is necessary.
- Step 2: If the application stores or verifies passwords insecurely (e.g., plaintext or weak hashes), database encryption alone won’t prevent credential theft or replay attacks. So application-level password handling (hashing, salting, rate-limiting) is necessary.
- Step 3: If the database is unprotected, attackers who gain access to backups or the DB server can recover stored secrets. Database-level encryption and access controls mitigate this risk.
- Step 4: Each layer guards against different threat vectors; combining them covers more attack scenarios.

3) Intermediate steps / examples
- Example: User sends password over HTTPS (protects in transit) → server verifies with argon2-hashed value (protects during processing) → database stores only salted hashes and is encrypted at rest (protects backups/DB compromise).

4) Why the correct answer is correct
Because securing only one tier leaves exploitable gaps. The most resilient posture is layered controls across transport, application, and data stores—hence "All options listed here."

5) Why other options are incomplete
- Encrypted client/server communications: protects transit but not breaches at app or DB.
- Application-level password security: crucial but cannot stop network eavesdropping or DB compromise alone.
- Database-level password security: protects data at rest but not captured credentials in transit or mishandled by the app.

6) Conclusion
All three tiers must enforce security; therefore the correct choice is "All options listed here," matching the provided answer.

At which tiers of a web application should developers enforce security?单项选择题

类似问题

Which of the following should not be done using client-side scripting?

Question at position 24 Before entering credit card or other sensitive data on a web page, you should make sure it is using the ________ protocol.httphttpssftpftp

Question at position 8 ________ is a social network attack where clicking on a link allows malware to post unwanted links on your page.LinkjackingClickbaitingSharebaitingClickjacking

What types of attacks does Microsoft IIS help protect against?

An online purchase web application which lets javascript in the browser filter out invalid negative payment amounts is vulnerable to __________.

Attackers may perform reconnaissance on your website by changing parameters using a man-in-the-middle proxy.

Content Security Policy (CSP) is enforced by

SQL injection vulnerability could be used to launch reflective cross site scripting attack.

更多留学生实用工具

智能学习助手

风格化写作助手

论文查重助手

文献引用助手

课堂转译助手

课堂笔记助手

Quiz搜索助手

学校历年真题

智能刷题助手

智能匹配练习

希望你的学习变得更简单