Web Application Security — Canadian Baseline Control BC.11

What the Canadian Centre for Cyber Security Recommends

The Canadian Centre for Cyber Security (CCCS) identifies web application security as Baseline Control 11 (BC.11) in its Baseline Cyber Security Controls for Small and Medium Organizations (ITSM.10.089). Organizations that operate websites, web portals, e-commerce platforms, or any web-based applications should implement protective measures to defend against common web-based attacks. This includes encrypting web traffic, validating user input, keeping web software up to date, and monitoring for known vulnerabilities.

Web applications are frequently targeted because they are publicly accessible and often process sensitive data such as customer information, payment details, and login credentials. The CCCS guidance recognizes that even small organizations with basic websites face these risks and should take steps to protect their web presence.

HTTPS Everywhere

All web traffic should be encrypted using HTTPS (Hypertext Transfer Protocol Secure). HTTPS protects data transmitted between a user's browser and your web server from interception and tampering.

Implementing HTTPS involves obtaining and installing a TLS (Transport Layer Security) certificate on your web server. Many hosting providers and services such as Let's Encrypt offer TLS certificates at no cost. Once HTTPS is enabled, organizations should:

• Redirect all HTTP traffic to HTTPS — ensure that users who visit the non-encrypted version of your site are automatically redirected to the encrypted version
• Use current TLS versions — disable outdated protocols such as SSL 3.0, TLS 1.0, and TLS 1.1, and use TLS 1.2 or TLS 1.3
• Enable HSTS (HTTP Strict Transport Security) — this tells browsers to only connect to your site over HTTPS, reducing the risk of protocol downgrade attacks
• Renew certificates before expiry — expired certificates cause browser warnings that erode user trust and may expose data

Input Validation

Every piece of data that a user submits to your web application — form fields, URL parameters, file uploads, API requests — should be validated before the application processes it. Input validation is a primary defence against many of the most common web application attacks.

Without proper input validation, attackers can inject malicious code into your application. The two most prevalent injection attacks are:

• SQL injection — where an attacker inserts database commands into input fields, potentially gaining access to or modifying your entire database
• Cross-site scripting (XSS) — where an attacker injects malicious scripts that execute in other users' browsers, potentially stealing session tokens or credentials

Effective input validation practices include:

• Validate input on both the client side (browser) and server side — server-side validation is essential, as client-side validation can be bypassed
• Use allowlists (accept only known-good input) rather than denylists (block known-bad input) wherever possible
• Use parameterized queries or prepared statements for all database interactions to prevent SQL injection
• Encode output to prevent XSS — ensure that data displayed back to users is properly escaped
• Limit file upload types, sizes, and storage locations

Software Updates and Patch Management

Web applications depend on multiple software layers — the content management system (CMS), plugins, themes, frameworks, programming language runtimes, web server software, and the underlying operating system. Each of these components may contain vulnerabilities that attackers can exploit.

The CCCS emphasizes keeping all software components up to date as a critical web security practice. This aligns with Baseline Control BC.2 (Patch Management). Specific recommendations include:

• Apply security patches promptly — prioritize patches for internet-facing components, as these are most exposed to attack
• Update CMS platforms and plugins regularly — WordPress, Drupal, Joomla, Shopify apps, and similar platforms frequently release security updates
• Remove unused plugins and themes — each installed component increases your attack surface, even if it is deactivated
• Subscribe to security advisories — monitor announcements from your CMS vendor, hosting provider, and software framework developers
• Test updates before deploying to production — use a staging environment where possible to verify that updates do not break functionality

Web Application Firewalls

A web application firewall (WAF) inspects incoming web traffic and blocks requests that match known attack patterns. A WAF provides a layer of defence between the internet and your web application, filtering out malicious requests before they reach your application code.

WAFs can be deployed in several ways:

• Cloud-based WAF services — provided by vendors such as Cloudflare, AWS WAF, or Azure WAF; these require minimal configuration and are often the most practical option for small and medium organizations
• Host-based WAFs — installed directly on your web server, such as ModSecurity
• Managed WAF services — offered by hosting providers as an add-on feature

A WAF should be considered an additional layer of defence, not a replacement for secure coding practices. WAFs are effective at blocking known attack patterns but may not catch novel or application-specific vulnerabilities.

Secure Development Practices

Organizations that develop their own web applications — or commission custom development — should incorporate security throughout the development lifecycle. The CCCS guidance recommends that security is considered from the design phase, not added as an afterthought.

Key secure development practices include:

• Security requirements — define security requirements at the beginning of each project, including authentication, authorization, data protection, and logging
• Code reviews — have a second developer review code for security issues before deployment
• Automated security testing — use static application security testing (SAST) and dynamic application security testing (DAST) tools to identify vulnerabilities
• Dependency management — track third-party libraries and components used in your application and monitor them for known vulnerabilities
• Secure defaults — configure applications with secure settings by default, aligned with Baseline Control BC.4 (Secure Configuration)
• Error handling — ensure that error messages do not expose sensitive information such as database structures, file paths, or stack traces

OWASP Top 10 Awareness

The Open Web Application Security Project (OWASP) publishes the OWASP Top 10, a widely recognized list of the most critical web application security risks. The CCCS references OWASP as a resource for organizations seeking to understand and mitigate common web vulnerabilities.

The OWASP Top 10 categories include risks such as:

• Broken access control — users can act outside their intended permissions
• Cryptographic failures — sensitive data is not properly encrypted
• Injection — untrusted data is sent to an interpreter as part of a command or query
• Insecure design — security flaws in the application's architecture
• Security misconfiguration — default or incomplete security settings
• Vulnerable and outdated components — use of libraries or frameworks with known vulnerabilities
• Server-side request forgery (SSRF) — the application can be tricked into making requests to unintended destinations

Organizations do not need to become OWASP experts, but awareness of these common risk categories helps inform better decision-making about web application security. The OWASP Foundation provides free resources, checklists, and testing guides at owasp.org.

Getting Started

For Canadian small and medium organizations looking to improve web application security, the CCCS Baseline Controls suggest starting with the highest-impact measures:

1. Enable HTTPS on all web properties and redirect all HTTP traffic
2. Update all web software — CMS, plugins, themes, and server software — to current versions
3. Remove unused plugins, themes, and accounts from your web applications
4. Implement a web application firewall — a cloud-based WAF can often be deployed in under an hour
5. Review input handling — ensure that forms and data inputs are validated server-side
6. Take the free cybersecurity assessment to evaluate your organization's posture across all 13 Baseline Controls

Frequently Asked Questions

Do small businesses in Canada need to worry about web application security?

Yes. Any organization that operates a website, web portal, or web-based application is a potential target. The Canadian Centre for Cyber Security includes web application security as one of its 13 Baseline Controls (ITSM.10.089) specifically because web-facing systems are among the most commonly exploited attack surfaces.

What is the most important first step for web application security?

Enabling HTTPS across your entire website is the most impactful first step. HTTPS encrypts data in transit between your users and your server, preventing interception of sensitive information. The CCCS recommends HTTPS everywhere as a foundational web security measure.

Is a web application firewall required under Canadian cybersecurity guidelines?

The CCCS Baseline Controls recommend implementing a web application firewall (WAF) as a protective measure for web-facing applications. While not a legal requirement, a WAF provides an additional layer of defence against common web attacks and is considered a best practice for Canadian organizations of all sizes.