A detailed article on Web SQL Database security is here
Quick Checklist:
- Use Prepared Statements to prevent SQL Injection
- Encode data fetched from database before displaying to prevent Cross-site Scripting
- Do not store sensitive information in the client-side database
- Ensure explicit per system user permission before storing data
- Use unique database names to minimize data loss in client-side attacks
- Create the database over SSL to prevent DNS spoofing/browser phishing attacks
- Do not trust client-side data
Demos:
- SQL Injection in Web SQL Database - Secure + Insecure Demo
- Cross-site Scripting in Web SQL Database - Insecure Demo 1
- Cross-site Scripting in Web SQL Database - Insecure Demo 2
- Cross-site Scripting in Web SQL Database - Secure Demo
- Using a unique database name to store information - Secure Demo
A detailed article on Cross Origin Request security is here
Quick Checklist:
- Do not have a universal allow setting
- Do not have too many pages/features exposed to COR
- Do not use Origin header in Access Control decisions
- Returns user specific information only to COR with valid credentials
- Do not cache preflight responses for too long
- Validate COR request and response even from trusted sites
- Do not process rogue COR
Demos:
- Universal Allow setting - Insecure Demo
- Access Control based on Origin Header - Insecure Demo
- Processing rogue COR - Insecure Demo
- Rejecting rogue COR - Secure Demo