Mozilla's getting a new look. What do you think? https://mzl.la/brandsurvey

Web security

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. These articles provide information that may help you secure your code.

CSP (Content Security Policy)
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
HTTP Strict Transport Security
HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
Information Security Basics
Understanding security basics helps you understand the role and importance of security throughout the web development lifecycle. This will help you avoid unnecessarily unsecured software, allowing attackers to exploit weaknesses for financial gain or other malicious purposes. The following articles provide some basic web security theory and definitions.
Insecure passwords
The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from attackers. If a website uses HTTP instead of HTTPS, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep.
Mixed content
When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page.
Public Key Pinning
The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.
Same-origin policy
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
Secure Contexts
A browser will enter into a secure context when it has met its minimum requirements of being secure. Secure contexts allow the browser to expose APIs that should only be permitted when transferred securely to the user.
Securing your site
There are a number of things you can do to help secure your site. This article offers an assortment of suggestions, as well as links to other articles providing more useful information.
Site Identity Button
Editorial review completed.
Subresource Integrity
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.
The Do Not Track Field Guide
The Do Not Track Field Guide provides information about the DNT functionality. You can download the original version as a PDF file.
Transport Layer Security
Choosing the proper cipher suites and parameters in transport layer security (TLS) is essential and critical. It is helpful in maintaining the confidentiality and integrity of communications between a client and server systems. The Mozilla Operations Security (OpSec) team maintains a wiki entry with reference transport layer security configurations.
Weak Signature Algorithm
Editorial review completed.

Join the Security community

Choose your preferred method for joining the discussion:

Document Tags and Contributors

Tags: 
 Contributors to this page: fscholz, jswisher, PPElite, marumari, ISOBEL, Sheppy
 Last updated by: fscholz,