Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 17:38, 23 November 2016
, 23 November 2016more tweaks
Gdestuynder (talk | contribs) (Add standard doc status) |
(more tweaks) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 26: | Line 26: | ||
<li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li> | <li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li> | ||
<li>[[#CSRF Prevention|7 CSRF Prevention]]</li> | <li>[[#CSRF Prevention|7 CSRF Prevention]]</li> | ||
<li>[[#robots.txt| | <li>[[#Referrer Policy|8 Referrer Policy]]</li> | ||
<li>[[#Subresource Integrity| | <li>[[#robots.txt|9 robots.txt]]</li> | ||
<li>[[#X-Content-Type-Options| | <li>[[#Subresource Integrity|10 Subresource Integrity]]</li> | ||
<li>[[#X-Frame-Options| | <li>[[#X-Content-Type-Options|11 X-Content-Type-Options]]</li> | ||
<li>[[#X-XSS-Protection| | <li>[[#X-Frame-Options|12 X-Frame-Options]]</li> | ||
<li>[[#Version History| | <li>[[#X-XSS-Protection|13 X-XSS-Protection]]</li> | ||
<li>[[#Version History|14 Version History]]</li> | |||
</ul> | </ul> | ||
</div> | </div> | ||
</td> | </td> | ||
<td style="vertical-align: top; padding: 1em 0 0 1.5em;"> | <td style="vertical-align: top; padding: 1em 0 0 1.5em;"> | ||
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged. | The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged. | ||
| Line 43: | Line 42: | ||
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github]. | Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github]. | ||
<div style="text-align: center;">'''STATUS: <span style="background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">READY</span>'''</div> | |||
</td> | </td> | ||
</tr> | </tr> | ||
| Line 54: | Line 57: | ||
|- style="background-color: #aaaaaa;" | |- style="background-color: #aaaaaa;" | ||
! data-sort-type="number" | Guideline | ! data-sort-type="number" | Guideline | ||
! data-sort-type="number" | Security Benefit | ! data-sort-type="number" | Security<br>Benefit | ||
! data-sort-type="number" | Implementation Difficulty | ! data-sort-type="number" | Implementation<br>Difficulty | ||
! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">†</sup> | ! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">†</sup> | ||
! Requirements | ! Requirements | ||
| Line 61: | Line 64: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]] | | data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]] | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Maximum</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| style="text-align: center;" data-sort-value="0" | | | style="text-align: center;" data-sort-value="0" | | ||
| Mandatory | | Mandatory | ||
| Line 68: | Line 71: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]] | | data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Maximum</span> | ||
| style="text-align: center;" data-sort-value="99" | -- | | style="text-align: center;" data-sort-value="99" | -- | ||
| Mandatory for maximum risk sites only | | Mandatory for maximum risk sites only | ||
| Line 75: | Line 78: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]] | | data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]] | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Maximum</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 3 | | style="text-align: center;" | 3 | ||
| Mandatory | | Mandatory | ||
| Line 82: | Line 85: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]] | | data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]] | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Maximum</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 2 | | style="text-align: center;" | 2 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Line 89: | Line 92: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | | data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 4 | | style="text-align: center;" | 4 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Line 96: | Line 99: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]] | | data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]] | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| style="text-align: center;" | 1 | | style="text-align: center;" | 1 | ||
| Mandatory | | Mandatory | ||
| Line 103: | Line 106: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]] | | data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]] | ||
| data-sort-value="3" style="text-align: center;" |<span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" |<span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| style="text-align: center;" | 10 | | style="text-align: center;" | 10 | ||
| Mandatory for new websites<br>Recommended for existing websites | | Mandatory for new websites<br>Recommended for existing websites | ||
| Line 110: | Line 113: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]] | | data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| style="text-align: center;" | 7 | | style="text-align: center;" | 7 | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| Line 117: | Line 120: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]] | | data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 9 | | style="text-align: center;" | 9 | ||
| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites | | Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites | ||
| Line 124: | Line 127: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | | data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 11 | | style="text-align: center;" | 11 | ||
| Mandatory | | Mandatory | ||
| Line 131: | Line 134: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]] | | data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| data-sort-value="99" style="text-align: center;" | <span style="background-color: #ffffff; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="99" style="text-align: center;" | <span style="background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Unknown</span> | ||
| style="text-align: center;" | 6 | | style="text-align: center;" | 6 | ||
| Varies | | Varies | ||
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation | | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation | ||
|- style="background-color: #ffffff;" | |||
| data-sort-value="11" | [[#Referrer Policy|<span style="color: black;">Referrer Policy</span>]] | |||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | |||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | |||
| style="text-align: center;" | 12 | |||
| Recommended for all websites | |||
| Improves privacy for users, prevents the leaking of internal URLs via <tt>Referer</tt> header | |||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | | data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | | | style="text-align: center;" | 14 | ||
| Optional | | Optional | ||
| Websites that implement robots.txt must use it only for noted purposes | | Websites that implement robots.txt must use it only for noted purposes | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]] | | data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]] | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| style="text-align: center;" | | | style="text-align: center;" | 15 | ||
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> | | Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> | ||
| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> Only for websites that load JavaScript or stylesheets from foreign origins | | <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> Only for websites that load JavaScript or stylesheets from foreign origins | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]] | | data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 8 | | style="text-align: center;" | 8 | ||
| Recommended for all websites | | Recommended for all websites | ||
| Line 159: | Line 169: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]] | | data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">High</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| style="text-align: center;" | 5 | | style="text-align: center;" | 5 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Line 166: | Line 176: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]] | | data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span> | ||
| style="text-align: center;" | | | style="text-align: center;" | 13 | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| Manual testing should be done for existing websites, prior to implementation | | Manual testing should be done for existing websites, prior to implementation | ||
| Line 292: | Line 302: | ||
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning] | * [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning] | ||
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins | * [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins | ||
== Resource Loading == | == Resource Loading == | ||
| Line 328: | Line 337: | ||
* Aiming for <tt>default-src: https:</tt> is a great first goal, as it disables inline code and requires https. | * Aiming for <tt>default-src: https:</tt> is a great first goal, as it disables inline code and requires https. | ||
* For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection. | * For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection. | ||
* | * It is recommended to start with a reasonably locked down policy such as <tt>default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'</tt> and then add in sources as revealed during testing. | ||
* In lieu of the preferred HTTP header, pages can instead include a <tt><meta http-equiv="Content-Security-Policy" content="…"></tt> tag. If they do, it should be the first <tt><meta></tt> tag that appears inside <tt><head></tt>. | * In lieu of the preferred HTTP header, pages can instead include a <tt><meta http-equiv="Content-Security-Policy" content="…"></tt> tag. If they do, it should be the first <tt><meta></tt> tag that appears inside <tt><head></tt>. | ||
* Care needs to be taken with <tt> | * Care needs to be taken with <tt>data:</tt> URIs, as these are unsafe inside <tt>script-src</tt> and <tt>object-src</tt> (or inherited from <tt>default-src</tt>). | ||
* Similarly, the use of <tt>script-src 'self'</tt> can be unsafe for sites with JSONP endpoints. These sites should use a <tt>script-src</tt> that includes the path to their JavaScript source folder(s). | |||
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with <tt>object-src 'none'</tt>. | |||
* Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly. | * Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly. | ||
* Prior to implementation, it is recommended to use the <tt>Content-Security-Policy-Report-Only</tt> HTTP header, to see if any violations would have occured with that policy. | * Prior to implementation, it is recommended to use the <tt>Content-Security-Policy-Report-Only</tt> HTTP header, to see if any violations would have occured with that policy. | ||
| Line 336: | Line 347: | ||
== Examples == | == Examples == | ||
<pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https | <pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https | ||
# Note that this does not provide any XSS protection | |||
Content-Security-Policy: default-src https:</pre> | Content-Security-Policy: default-src https:</pre> | ||
| Line 342: | Line 354: | ||
<meta http-equiv="Content-Security-Policy" content="default-src https:"></pre> | <meta http-equiv="Content-Security-Policy" content="default-src https:"></pre> | ||
<pre># Disable the use of unsafe inline/eval, allow everything else | <pre># Disable the use of unsafe inline/eval, allow everything else except plugin execution | ||
Content-Security-Policy: *</pre> | Content-Security-Policy: default-src *; object-src 'none'</pre> | ||
<pre># Disable unsafe inline/eval, only load resources from same origin | <pre># Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur | ||
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com</pre> | # Also disables the execution of plugins | ||
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'</pre> | |||
<pre># Disable unsafe inline/eval, only load | <pre># Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google, | ||
Content-Security-Policy: default-src ' | # and images from same origin and imgur. Sites should aim for policies like this. | ||
Content-Security-Policy: default-src 'none'; font-src 'https://fonts.googleapis.com'; | |||
img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'</pre> | |||
<pre># Pre-existing site uses too much inline code to fix | <pre># Pre-existing site that uses too much inline code to fix | ||
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'</pre> | # but wants to ensure resources are loaded only over https and disable plugins | ||
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'</pre> | |||
<pre># Don't implement the above policy yet; instead just report violations that would have occured | <pre># Don't implement the above policy yet; instead just report violations that would have occured | ||
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/</pre> | Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/</pre> | ||
<pre># Disable the loading of any resources and disable framing, recommended for APIs to use | |||
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'</pre> | |||
== See Also == | == See Also == | ||
| Line 361: | Line 380: | ||
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy] | * [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy] | ||
* [http://www.cspplayground.com/ Content Security Policy Playground] | * [http://www.cspplayground.com/ Content Security Policy Playground] | ||
* [ | * [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard] | ||
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]] | |||
= contribute.json = | = contribute.json = | ||
| Line 370: | Line 389: | ||
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, <tt>contribute.json</tt> is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects. | Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, <tt>contribute.json</tt> is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects. | ||
Require subkeys include <tt>name</tt>, <tt>description</tt>, <tt>bugs</tt>, <tt>participate</tt> (particularly <tt>irc</tt> and <tt>irc- | Require subkeys include <tt>name</tt>, <tt>description</tt>, <tt>bugs</tt>, <tt>participate</tt> (particularly <tt>irc</tt> and <tt>irc-contacts</tt>), and <tt>urls</tt>. | ||
== Examples == | == Examples == | ||
| Line 418: | Line 437: | ||
* [https://www.contributejson.org/ The contribute.json Standard] | * [https://www.contributejson.org/ The contribute.json Standard] | ||
= Cookies = | = Cookies = | ||
| Line 525: | Line 543: | ||
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention] | * [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention] | ||
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] | * [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] | ||
= Referrer Policy = | |||
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk. HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP <tt>Referer</tt> header. | |||
In normal operation, if a page at https://example.com/page.html contains <tt><nowiki><img src="https://not.example.com/image.jpg"></nowiki></tt>, then the browser will send a request like this: | |||
<pre>GET /image.jpg HTTP/1.1 | |||
Host: not.example.com | |||
Referer: https://example.com/page.html</pre> | |||
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the <tt>Referer</tt> header or reduce the amount of information that it contains. | |||
== Directives == | |||
* <tt>no-referrer</tt>: never send the <tt>Referer</tt> header | |||
* <tt>same-origin</tt>: send referrer, but only on requests to the same origin | |||
* <tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/) | |||
* <tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin | |||
== Notes == | |||
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above. | |||
<tt>no-referrer-when-downgrade</tt> is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation. | |||
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the directives above, and Firefox awaits full support with Firefox 52. | |||
== Examples == | |||
<pre># On example.com, only send the Referer header when loading or linking to other example.com resources | |||
Referrer-Policy: same-origin | |||
# Only send the shortened referrer to a foreign origin, full referrer to a local host | |||
Referrer-Policy: strict-origin-when-cross-origin | |||
# Disable referrers for browsers that don't support strict-origin-when-cross-origin | |||
# Uses strict-origin-when-cross-origin for browsers that do | |||
Referrer-Policy: no-referrer, strict-origin-when-cross-origin | |||
# Do the same, but with a meta tag | |||
<meta http-equiv="Referrer-Policy" content="no-referrer, strict-origin-when-cross-origin"> | |||
# Do the same, but only for a single link | |||
<a href="https://mozilla.org/" referrerpolicy="no-referrer, strict-origin-when-cross-origin"></pre> | |||
== See Also == | |||
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard] | |||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy] | |||
| Line 590: | Line 658: | ||
= X-Content-Type-Options = | = X-Content-Type-Options = | ||
<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer and | <tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve. | ||
== Examples == | == Examples == | ||
<pre># Prevent | <pre># Prevent browsers from incorrectly detecting non-scripts as scripts | ||
X-Content-Type-Options: nosniff</pre> | X-Content-Type-Options: nosniff</pre> | ||
| Line 601: | Line 669: | ||
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks] | * [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks] | ||
= X-Frame-Options = | |||
<tt>X-Frame-Options</tt> is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the <tt>X-Frame-Options</tt> header is mandatory for all new websites, and all existing websites are expected to add support for <tt>X-Frame-Options</tt> as soon as possible. | |||
<tt>X-Frame-Options</tt> | Note that <tt>X-Frame-Options</tt> has been superceded by the Content Security Policy's <tt>frame-ancestors</tt> directive, which allows considerably more granular control over the origins allowed to frame a site. As <tt>frame-ancestors</tt> is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ <tt>X-Frame-Options</tt> in addition to using CSP. | ||
Sites that require the ability to be iframed must either | Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins. | ||
== Directives == | == Directives == | ||
| Line 612: | Line 681: | ||
* <tt>DENY</tt>: disallow allow attempts to iframe site (recommended) | * <tt>DENY</tt>: disallow allow attempts to iframe site (recommended) | ||
* <tt>SAMEORIGIN</tt>: allow the site to iframe itself | * <tt>SAMEORIGIN</tt>: allow the site to iframe itself | ||
* <tt>ALLOW-FROM <em>uri</em></tt>: | * <tt>ALLOW-FROM <em>uri</em></tt>: deprecated; instead use CSP's <tt>frame-ancestors</tt> directive | ||
== Examples == | == Examples == | ||
<pre># Block site from being | <pre># Block site from being framed with X-Frame-Options and CSP | ||
Content-Security-Policy: frame-ancestors 'none' | |||
X-Frame-Options: DENY</pre> | X-Frame-Options: DENY</pre> | ||
<pre># Only allow my site to frame itself | <pre># Only allow my site to frame itself | ||
Content-Security-Policy: frame-ancestors 'self' | |||
X-Frame-Options: SAMEORIGIN</pre> | X-Frame-Options: SAMEORIGIN</pre> | ||
<pre># Allow only framer.mozilla.org to frame site | |||
# Note that this blocks framing from browsers that don't support CSP2+ | |||
Content-Security-Policy: frame-ancestors https://framer.mozilla.org | |||
X-Frame-Options: DENY</pre> | |||
== See Also == | == See Also == | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options] | ||
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on 'frame-ancestors'] | |||
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet] | * [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet] | ||
| Line 630: | Line 707: | ||
= X-XSS-Protection = | = X-XSS-Protection = | ||
<tt>X-XSS-Protection</tt> is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New | <tt>X-XSS-Protection</tt> is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (<tt>'unsafe-inline'</tt>), they can still provide protections for users of older web browsers that don't yet support CSP. | ||
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header. | |||
== Examples == | == Examples == | ||
| Line 643: | Line 722: | ||
{| class="wikitable" style="width: 100%;" | {| class="wikitable" style="width: 100%;" | ||
|- | |- | ||
! scope="col" style="width: | ! scope="col" style="width: 8em;" | Date | ||
! scope="col" style="width: 6em;" | Editor | ! scope="col" style="width: 6em;" | Editor | ||
! Changes | ! Changes | ||
|- | |- | ||
| align="center" | | | style="padding-left: .5em; text-align: left;" | November, 2016 | ||
| align="center" | April | |||
| style="padding-left: .5em;" | Added Referrer Policy, tidied up XFO examples | |||
|- | |||
| style="padding-left: .5em; text-align: left;" | October, 2016 | |||
| align="center" | April | |||
| style="padding-left: .5em;" | Updates to CSP recommendations | |||
|- | |||
| style="padding-left: .5em; text-align: left;" | July, 2016 | |||
| align="center" | April | |||
| style="padding-left: .5em;" | Updates to CSP for APIs, and CSP's deprecation of XFO, and XXSSP | |||
|- | |||
| style="padding-left: .5em; text-align: left;" | February, 2016 | |||
| align="center" | April | | align="center" | April | ||
| Initial document creation | | style="padding-left: .5em;" | Initial document creation | ||
|} | |} | ||