We're looking for a person or people to help audit MDN to find places we could speed up. Is this you or someone you know? Check out the RFP: https://mzl.la/2IHcMiE




Note: This article is a work in progress, and is neither complete nor does following its suggestions guarantee your site will be fully secure.


Form fields support autocompletion in Gecko; that is, their values can be remembered and automatically brought back the next time the user visits your site. For certain types of data, you may wish to disable this feature.在Gecko中表单字段支持自动完成功能; 因此他们的值可以被推荐和下一次用户访问你的网站时自动恢复. 某一类型的数据, 你可能希望禁止这个功能.
This article discusses changes made to the getComputedStyle() method that eliminate the ability for malicious sites to figure out the user's browsing history.这篇文章讨论使用getComputedStyle()方法, 消除在恶意的站点上的这种能力, 解决用户浏览历史.


Properly configuring server MIME types
There are several ways incorrect MIME types can cause potential security problems with your site. This article explains some of those, and shows how to configure your server to serve files with the correct MIME types.
HTTP Strict Transport Security
The Strict-Transport-Security: HTTP header lets a web site specify that it may only be accessed using HTTPS.
HTTP access control
The Cross-Origin Resource Sharing standard provides a way to specify what content may be loaded from other domains. You can use this to prevent your site from being used improperly; in addition, you can use it to establish resources that other sites are expressly permitted to use.
Content Security Policy
An added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware.
The X-Frame-Options response header

The X-Frame-Options: HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.



 此页面的贡献者: keep2zero, xgqfrms-GitHub, hashedhyphen
 最后编辑者: keep2zero,