How to Prevent Data Leakage on Your Website

If you are already familiar with the concept of data leakage, you are likely also familiar with its consequences. But what about the mechanics behind it? And even more importantly, how do you prevent it?

These are the two questions we will explore in this blog post so that you learn how to effectively prevent data leakage on your website.

To answer this question, we first need to understand how the average modern website works. If we take a look at the latest statistics, we see that around 70% of all the scripts running on the average website come from third parties. This means that only 30% of the website’s code is written and maintained internally by the company. And if we zoom into this first-party code, we’ll find that it’s often composed of JavaScript frameworks and libraries like React and Angular—which themselves are developed and maintained by third parties.

These hundreds of pieces of third-party code lead to a complex supply chain, creating a huge security blindspot for companies that could potentially be leveraged by attackers to leak data.

But how exactly can attackers achieve this?

One key thing about third-party scripts is that they have the same power as all your first-party code. They can access any type of data, tamper with your existing code, and even tamper with how your users interact with your website. Hence the problem of the web supply chain.

From code libraries to third-party services like chatbots and much more, when you add up all these pieces of external code, you quickly get to the point where you have little to no visibility over what code you’re actually running on your website.

The major issue comes because websites are constantly handling very sensitive information like credit card details, social security numbers, and private health information. So, when a user inputs and submits that data on any given website, it will invariably pass through the chaotic client-side. And if companies don’t have visibility over the code they are running, they can’t be sure if any of the third-party scripts ever try to intercept and leak that sensitive data.

Today, attackers are taking advantage of this security blindspot and launching web supply chain attacks. These attacks are increasingly popular because if an attacker manages to change a third-party script, they can basically inject arbitrary code into a website and do whatever they want. Plus, that code will affect all the users on that website and all the other websites that are using that script.

Web supply chain attacks are also popular because attackers don't have to directly target the main website. They can go after its weakest link—the third-party vendor that is being used in the page—and leverage the fact that they might have fewer resources dedicated to security.

The first step to preventing data leakage is gaining visibility over what’s actually happening on the client-side. So, this means you need to monitor each individual script in real-time and know its specific behaviors. An essential aspect here is being able to know if and when a certain script is sending data out, what specific types of data, and where the data is being sent out to. Without this information, you can’t know whether a certain network connection is legitimate or an attempt to leak your users’ data.

But visibility is only part of the solution. A preventive approach to data leakage requires having control of all the different behaviors of your website scripts and being able to restrict them by default.

While approaches like using a Content Security Policy might seem to solve this problem, they are in fact insufficient to effectively tackle data leakage. Other approaches, like Web Application Firewalls or even browser defenses, also fall short.

Finding the right solution for this problem requires an in-depth security approach that provides visibility and control.

To gain visibility, a good first step is doing an inventory of all the scripts that are running on your website as well as all the network connections that they are doing. This allows getting a clear picture of how your client-side is built, what's your exposure to web supply chain risk, and how your users' data is flowing through your client-side.

You can achieve all of this by doing a complete inventory of your website for free with Jscrambler.

To gain control, you need an approach that allows you to restrict every possible behavior of your third-party scripts. Jscrambler Webpage Integrity provides a powerful and granular rules engine that gives you this level of control, while not interfering with the experience of your end-users.

You can also protect your source code against data leakage attacks by using Jscrambler's Data Exfiltration Prevention countermeasure - so that, if someone tries to debug or tamper with your source code, all network connections are immediately blocked to protect your users' data.