Web security

by 3 contributors:

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. These articles provide information that may help you secure your code.

CSP (Content Security Policy)
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
HTTP Strict Transport Security
HTTP Strict Transport Security (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
Insecure passwords
The HTTPS protocol is designed to protect user data from eavesdropping (confidentiality) and from modification (integrity) on the network. Websites that handle user data should use HTTPS to protect their users from hackers. Without it, it is trivial to steal user information (such as their login credentials). This was famously demonstrated by Firesheep.
Public Key Pinning
The Public Key Pinning Extension for HTTP (HPKP) is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.
Same-origin policy
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
Securing your site
There are a number of things you can do to help secure your site. This article offers an assortment of suggestions, as well as links to other articles providing more useful information.
Site Identity Button
The Site Identity Button is a feature in Firefox that gives users more information about the sites they visit.
Subresource Integrity
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a crytographic hash that a fetched file must match.
The Do Not Track Field Guide
The Do Not Track Field Guide provides information about the DNT functionality. You can download the original version as a PDF file.
Transport Layer Security
Choosing the proper cipher suites and parameters in transport layer security is essential and critical. It is helpful in  maintaining the confidentiality and integrity of communications between a client and server systems. The Mozilla Operations Security (OpSec) team maintains a wiki entry with reference transport layer security (TLS) configurations.
Weak Signature Algorithm
The strength of the hash algorithm used in signing a digital certificate is a critical element of the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can create or obtain fraudulent certificates. As new attacks are found and improvements in available technology make attacks more feasible, the use of older algorithms is discouraged and support for them is eventually removed.

Join the Security community

Choose your preferred method for joining the discussion:

Document Tags and Contributors

Contributors to this page: marumari, ISOBEL, Sheppy
Last updated by: marumari,