Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
Jump to navigation
Jump to search
User:Apking/Web Security Guidelines (view source)
Revision as of 23:57, 15 January 2016
, 15 January 2016grammar
(Added resource loading over HTTPS) |
(grammar) |
||
| Line 130: | Line 130: | ||
== Resource Loading == | == Resource Loading == | ||
All resources — whether on the same origin or not — should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and “mixed content” warnings. | All resources — whether on the same origin or not — should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and “mixed content” warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users. | ||
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment. | Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment. | ||
| Line 330: | Line 330: | ||
= CSRF Prevention = | = CSRF Prevention = | ||
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might | Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this: | ||
<pre><!-- Attempt to delete a user's account --> | <pre><!-- Attempt to delete a user's account --> | ||