Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 21:44, 5 January 2016
, 5 January 2016Linkify cheat sheet
(Formatting) |
(Linkify cheat sheet) |
||
| Line 367: | Line 367: | ||
= X-XSS-Protection = | = X-XSS-Protection = | ||
X-XSS-Protection is an feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives. | <tt>X-XSS-Protection</tt> is an feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives. | ||
== Examples == | == Examples == | ||
| Line 388: | Line 388: | ||
| Initial document creation | | Initial document creation | ||
|} | |} | ||
| Line 398: | Line 399: | ||
! Notes | ! Notes | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| HTTPS | | [[#HTTPS|<span style="color: black;">HTTPS</span>]] | ||
| Mandatory | | Mandatory | ||
| Use the most secure TLS configuration for your userbase | | Use the most secure TLS configuration for your userbase | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| HTTP Strict Transport Security | | style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Minimum allowed time period of six months | | Minimum allowed time period of six months | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| HTTP Redirections | | style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]] | ||
| Mandatory | | Mandatory | ||
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | | Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | ||
|- style="background-color: #E99696;" | |- style="background-color: #E99696;" | ||
| HTTP Public Key Pinning | | style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]] | ||
| Mandatory for critical risk sites only | | Mandatory for critical risk sites only | ||
| Not recommended for most sites | | Not recommended for most sites | ||
|- style="background-color: #E8E27A;" | |- style="background-color: #E8E27A;" | ||
| Content Security Policy | | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]] | ||
| Mandatory for new websites<br>Recommended for existing websites | | Mandatory for new websites<br>Recommended for existing websites | ||
| Disabling inline script is the highest priority for CSP | | Disabling inline script is the highest priority for CSP | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| Cookies | | [[#Cookies|<span style="color: black;">Cookies</span>]] | ||
| Mandatory | | Mandatory | ||
| All cookies must be set with Secure, and set as restrictively as possible | | All cookies must be set with Secure, and set as restrictively as possible | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| Cross-origin Resource Sharing | | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | ||
| Mandatory | | Mandatory | ||
| Origin sharing headers and files should not be present, except for specific use cases | | Origin sharing headers and files should not be present, except for specific use cases | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| Cross-site Request Forgery<br>Tokenization | | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery<br>Tokenization</span>]] | ||
| Mandatory for certain websites | | Mandatory for certain websites | ||
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites | | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites | ||
|- style="background-color: #CCCCCC;" | |- style="background-color: #CCCCCC;" | ||
| robots.txt | | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | ||
| Optional | | Optional | ||
| Websites that implement robots.txt must use it only for noted purposes | | Websites that implement robots.txt must use it only for noted purposes | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| Subresource Integrity | | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]] | ||
| Mandatory | | Mandatory | ||
| Mandatory for all websites that load JavaScript or stylesheets from non-Mozilla sources | | Mandatory for all websites that load JavaScript or stylesheets from non-Mozilla sources | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| X-Content-Type-Options | | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]] | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Websites should verify that they are setting the proper MIME types for all resources | | Websites should verify that they are setting the proper MIME types for all resources | ||
|- style="background-color: #9EDB58;" | |- style="background-color: #9EDB58;" | ||
| X-Frame-Options | | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]] | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | | Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | ||
|- style="background-color: #E8E27A;" | |- style="background-color: #E8E27A;" | ||
| X-XSS-Protection | | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]] | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| Manual testing should be done for existing websites, prior to implementation | | Manual testing should be done for existing websites, prior to implementation | ||
|} | |} | ||