Confirmed users
502
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 00:24, 27 February 2016
, 27 February 2016Color test following https://wiki.mozilla.org/Security/Standard_Levels
(add colors to chart) |
Gdestuynder (talk | contribs) (Color test following https://wiki.mozilla.org/Security/Standard_Levels) |
||
| Line 52: | Line 52: | ||
|- style="background-color: #aaaaaa;" | |- style="background-color: #aaaaaa;" | ||
! data-sort-type="number" | Guideline | ! data-sort-type="number" | Guideline | ||
! data-sort-type="number" | Benefit | ! data-sort-type="number" | Security Benefit | ||
! data-sort-type="number" | Difficulty | ! data-sort-type="number" | Implementation Difficulty | ||
! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">†</sup> | ! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">†</sup> | ||
! Requirements | ! Requirements | ||
| Line 59: | Line 59: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]] | | data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]] | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: # | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| style="text-align: center;" data-sort-value="0" | | | style="text-align: center;" data-sort-value="0" | | ||
| Mandatory | | Mandatory | ||
| Line 66: | Line 66: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]] | | data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;"> | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span> | ||
| style="text-align: center;" data-sort-value="99" | -- | | style="text-align: center;" data-sort-value="99" | -- | ||
| Mandatory for maximum risk sites only | | Mandatory for maximum risk sites only | ||
| Line 73: | Line 73: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]] | | data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]] | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: # | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 3 | | style="text-align: center;" | 3 | ||
| Mandatory | | Mandatory | ||
| Line 80: | Line 80: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]] | | data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]] | ||
| data-sort-value="4" style="text-align: center;" | <span style="background-color: # | | data-sort-value="4" style="text-align: center;" | <span style="background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MAXIMUM</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 2 | | style="text-align: center;" | 2 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Line 87: | Line 87: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | | data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 4 | | style="text-align: center;" | 4 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Line 94: | Line 94: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]] | | data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]] | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: # | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| style="text-align: center;" | 1 | | style="text-align: center;" | 1 | ||
| Mandatory | | Mandatory | ||
| Line 101: | Line 101: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]] | | data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: # | | data-sort-value="3" style="text-align: center;" |<span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| style="text-align: center;" | 10 | | style="text-align: center;" | 10 | ||
| Mandatory for new websites<br>Recommended for existing websites | | Mandatory for new websites<br>Recommended for existing websites | ||
| Line 108: | Line 108: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]] | | data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| style="text-align: center;" | 7 | | style="text-align: center;" | 7 | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| Line 115: | Line 115: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]] | | data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 9 | | style="text-align: center;" | 9 | ||
| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites | | Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites | ||
| Line 122: | Line 122: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | | data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 11 | | style="text-align: center;" | 11 | ||
| Mandatory | | Mandatory | ||
| Line 129: | Line 129: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]] | | data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| data-sort-value="99" style="text-align: center;" | <span style="background-color: # | | data-sort-value="99" style="text-align: center;" | <span style="background-color: #ffffff; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">UNKNOWN</span> | ||
| style="text-align: center;" | 6 | | style="text-align: center;" | 6 | ||
| Varies | | Varies | ||
| Line 136: | Line 136: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | | data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 13 | | style="text-align: center;" | 13 | ||
| Optional | | Optional | ||
| Line 143: | Line 143: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]] | | data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]] | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: # | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| style="text-align: center;" | 14 | | style="text-align: center;" | 14 | ||
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> | | Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">‡</sup> | ||
| Line 150: | Line 150: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]] | | data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 8 | | style="text-align: center;" | 8 | ||
| Recommended for all websites | | Recommended for all websites | ||
| Line 157: | Line 157: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]] | | data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]] | ||
| data-sort-value="3" style="text-align: center;" | <span style="background-color: # | | data-sort-value="3" style="text-align: center;" | <span style="background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">HIGH</span> | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| style="text-align: center;" | 5 | | style="text-align: center;" | 5 | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Line 164: | Line 164: | ||
|- style="background-color: #ffffff;" | |- style="background-color: #ffffff;" | ||
| data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]] | | data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]] | ||
| data-sort-value="1" style="text-align: center;" | <span style="background-color: # | | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">LOW</span> | ||
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;"> | | data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">MEDIUM</span> | ||
| style="text-align: center;" | 12 | | style="text-align: center;" | 12 | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||