Web security

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. These articles provide information that may help you secure your code.

Information Security Basics
Understanding security basics helps you understand the role and importance of security throughout the web development lifecycle. This will help you avoid unnecessarily unsecured software, allowing attackers to exploit weaknesses for financial gain or other malicious purposes. The following articles provide some basic web security theory and definitions.
Insecure passwords
The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep.
Mixed content
When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page.
Same-origin policy
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
Secure Contexts
A browser will enter into a secure context when it has met its minimum requirements of being secure. Secure contexts allow the browser to expose APIs that should only be permitted when transferred securely to the user.
Securing your site
There are a number of things you can do to help secure your site. This article offers an assortment of suggestions, as well as links to other articles providing more useful information.
Site Identity Button
The Site Identity Button is a feature in Firefox that gives users more information about the sites they visit.
Subresource Integrity
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.
Transport Layer Security
Choosing the proper cipher suites and parameters in transport layer security (TLS) is essential and critical. It is helpful in maintaining the confidentiality and integrity of communications between a client and server systems. The Mozilla Operations Security (OpSec) team maintains a wiki entry with reference transport layer security configurations.
Weak Signature Algorithm
The strength of the hash algorithm used in signing a digital certificate is a critical element of the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can create or obtain fraudulent certificates. As new attacks are found and improvements in available technology make attacks more feasible, the use of older algorithms is discouraged and support for them is eventually removed.

Join the Security community

Choose your preferred method for joining the discussion:

Document Tags and Contributors

 Contributors to this page: fscholz, jswisher, PPElite, marumari, ISOBEL, Sheppy
 Last updated by: fscholz,