Practical security implementation guides

Users frequently input sensitive data on websites, such as names, addresses, passwords, and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of web security is to help you protect your website against these exploits and secure your users' sensitive data.

This page lists guides that summarize some best practices for implementing security features on websites. While these guides do not cover all possible security scenarios and cannot guarantee complete security of your website, following the information and best practices in these guides will make your sites significantly more secure.

HTTP security fundamentals

The guides in this section summarize best practices for implementing HTTP headers correctly to mitigate security issues, and are directly related to the HTTP Observatory tool.

Observatory performs security audits on a website and provides a grade and score along with recommendations for fixing the security issues it finds. These guides explain how to resolve issues surfaced by the HTTP Observatory tests: the tool links to the relevant guide for each issue, helping guide you towards an effective resolution. Interestingly, Mozilla's internal developer teams use this guidance when implementing websites to ensure that security best practices are applied.

The guides in the table below are listed in the order that we recommend implementing the security features they describe. This order is based on a combination of each feature's security impact and the ease of its implementation from both operational and developmental perspectives. The table provides information about each feature's impact, difficulty of implementation, whether or not it is required, and a brief description.

Guide Impact Difficulty Required Description
TLS configuration Medium Medium Yes Use the most secure Transport Layer Security (TLS) configuration available for your user base.
TLS: Resource loading Maximum Low Yes Load both passive and active resources via HTTPS.
TLS: HTTP redirection Maximum Low Yes Websites must redirect to HTTPS; API endpoints should disable HTTP entirely.
TLS: HSTS implementation High Low Yes Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, by using HTTP Strict transport security (HSTS).
Clickjacking prevention High Low Yes Control how your site may be framed within an <iframe> to prevent clickjacking.
CSRF prevention High Unknown Varies Protect against Cross-site request forgery (CSRF) using SameSite cookies and anti-CSRF tokens.
Secure cookie configuration High Medium Yes Set all cookies as restrictively as possible.
CORP implementation High Medium Yes Protect against speculative side-channel attacks by using Cross-Origin Resource Policy (CORP).
MIME type verification Low Low No Verify that all your websites are setting the proper MIME types for all resources.
CSP implementation High High Yes Provide fine-grained control over the code that can be loaded on a site and what it is allowed to do with a Content Security Policy (CSP), thereby mitigating Cross-site scripting (XSS) vulnerabilities.
CORS configuration High Low Yes Define the non-same origins that are allowed to access the content of pages and have resources loaded from them by using Cross-Origin Resource Sharing (CORS).
Referrer policy configuration Low Low Yes Improve privacy for users and prevent leaking of internal URLs via the Referer header.
robots.txt configuration Low Low No Tell robots (such as search engine indexers) how to behave by instructing them not to crawl certain paths on the website.
SRI implementation Low Low No Verify that fetched resources (for example, from a CDN) are delivered without unexpected manipulation by using Subresource Integrity (SRI).

User information security

How to turn off form autocompletion

Form fields support autocompletion; that is, their values can be remembered and automatically filled out next time a user visits your site. For certain types of data, you may wish to disable this feature; this article explains how.

See also