From 218934fa2ed1c702a6d3923d2aa2cc6b43c48684 Mon Sep 17 00:00:00 2001 From: Peter Bengtsson Date: Tue, 8 Dec 2020 14:43:23 -0500 Subject: initial commit --- files/th/web/security/index.html | 238 +++++++++++++++++++++++++ files/th/web/security/mixed_content/index.html | 85 +++++++++ 2 files changed, 323 insertions(+) create mode 100644 files/th/web/security/index.html create mode 100644 files/th/web/security/mixed_content/index.html (limited to 'files/th/web/security') diff --git a/files/th/web/security/index.html b/files/th/web/security/index.html new file mode 100644 index 0000000000..c00772364d --- /dev/null +++ b/files/th/web/security/index.html @@ -0,0 +1,238 @@ +--- +title: Web security +slug: Web/Security +tags: + - Landing + - NeedsTranslation + - Security + - TopicStub + - Web +translation_of: Web/Security +--- +
+

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. The web security-oriented articles listed here provide information that may help you secure your site and its code from attacks and data theft.

+
+ +

Content security

+ +
+
Content security policy (CSP)
+
Content Security Policy ({{Glossary("CSP")}}) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting ({{Glossary("XSS")}}) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.
+
+ +

Connection security

+ +
+
Transport security layer (TLS)
+
The Transport Layer Security ({{Glossary("TLS")}}) protocol is the standard for enabling two networked applications or devices to exchange information privately and robustly. Applications that use TLS can choose their security parameters, which can have a substantial impact on the security and reliability of data. This article provides an overview of TLS and the kinds of decisions you need to make when securing your content.
+
HTTPS
+
HTTPS (HyperText Transfer Protocol Secure) is an encrypted version of the HTTP protocol. It uses SSL or TLS to encrypt all communication between a client and a server. This secure connection allows clients to be sure that they are connected with the intended server, and to exchange sensitive data.
+
HTTP Strict-Transport-Security
+
The Strict-Transport-Security: HTTP header lets a website specify that it may only be accessed using HTTPS.
+
Certificate Transparency
+
Certificate Transparency is an open framework designed to protect against and monitor for certificate misissuances. Newly issued certificates are 'logged' to publicly run, often independent CT logs which maintain an append-only, cryptographically assured record of issued TLS certificates.
+
Mixed content
+
An HTTPS page that includes content fetched using cleartext HTTP is called a mixed content page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.
+
How to fix a website with blocked mixed content
+
If your website delivers HTTPS pages, all active mixed content delivered via HTTP on these pages will be blocked by default. Consequently, your website may appear broken to users (if iframes or plugins don't load, etc.). Passive mixed content is displayed by default, but users can set a preference to block this type of content, as well. This page explains what you should be aware of as a web developer.
+
Secure contexts
+
A secure context is a Window or Worker for which there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited. Many Web APIs and features are accessible only in a secure context. The primary goal of secure contexts is to prevent man-in-the-middle attackers from accessing powerful APIs that could further compromise the victim of an attack.
+
Features restricted to secure contexts
+
This reference lists the web platform features available only in secure contexts.
+
Weak signature algorithms
+
The strength of the hash algorithm used in signing a digital certificate is a critical element of the security of the certificate. This article provides some information about signature algorithms known to be weak, so you can avoid them when appropriate.
+
Redirection with 301 and 302 response codes
+
to be written
+
+ +

Data security

+ +
+
Using HTTP Cookies
+
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example.
+
Local storage
+
The Window object's Window.localStorage property is a way for servers to store data on a client that is persistent across sessions.
+
+ +

Information leakage

+ +
+
Referer header policy: privacy and security concerns
+
There are privacy and security risks associated with the Referer HTTP header. This article describes them and offers advice on mitigating those risks.
+
Robots.txt
+
to be written
+
Site maps
+
to be written
+
+ +

Integrity

+ +
+
Same-origin policy
+
The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
+
Subresource integrity
+
Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.
+
HTTP Access-Control-Allow-Origin
+
The Access-Control-Allow-Origin response header indicates whether the response can be shared with requesting code from the given origin.
+
HTTP X-Content-Type-Options
+
+

The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised in the Content-Type headers should not be changed and be followed. This is a way to opt-out of MIME type sniffing, or, in other words, to say that the MIME types are deliberately configured.

+
+
+ +

Clickjacking protection

+ +

In clickjacking, a user is fooled into clicking on a UI element that performs some action other than what the user expects. 

+ +
+
HTTP X-Frame-Options
+
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
+
CSP: frame-ancestors
+
The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents that may embed a page using <frame><iframe><object><embed>, or <applet>.
+
+ +

User information security

+ +
+
Insecure passwords
+
Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit.
+
Privacy and the :visited selector
+
Before about 2010, the CSS :visited selector allowed websites to uncover a user's browsing history and figure out what sites the user had visited. To mitigate this problem, browsers have limited the amount of information that can be obtained from visited links.
+
+ + + +
+ + + +
+ +

See also

+ + + +

{{QuickLinksWithSubpages}}

diff --git a/files/th/web/security/mixed_content/index.html b/files/th/web/security/mixed_content/index.html new file mode 100644 index 0000000000..8992059b18 --- /dev/null +++ b/files/th/web/security/mixed_content/index.html @@ -0,0 +1,85 @@ +--- +title: Mixed content +slug: Web/Security/Mixed_content +tags: + - HTTP + - HTTPS + - NeedsTranslation + - Security + - TopicStub + - Web + - console +translation_of: Web/Security/Mixed_content +--- +

When a user visits a page served over {{Glossary("HTTPS")}}, their connection with the web server is encrypted with {{Glossary("TLS")}} and is therefore safeguarded from most sniffers and man-in-the-middle attacks. An HTTPS page that includes content fetched using cleartext HTTP is called a mixed content page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers. That leaves the pages unsafe.

+ +

Types of mixed content

+ +

There are two categories for mixed content: mixed passive/display content and mixed active content. The difference lies in the threat level of the worst case scenario if content is rewritten as part of a man-in-the-middle attack. In the case of passive content, the threat is lower (the page may contain misleading content, or the user's cookies may be stolen). In the case of active content, the threat can lead to phishing, sensitive data disclosure, redirection to malicious sites, etc.

+ +

Mixed passive/display content

+ +

Mixed passive/display content is content served over HTTP that is included in an HTTPS webpage, but that cannot alter other portions of the webpage. For example, an attacker could replace an image served over HTTP with an inappropriate image or message to the user. The attacker could also infer information about the user's activities by watching which images are served to the user; often images are only served on a specific page within a website. If the attacker observes HTTP requests to certain images, they could determine which webpage the user is visiting.

+ +

Passive content list

+ +

This section lists all types of HTTP requests which are considered passive content:

+ + + +

Mixed active content

+ +

Mixed active content is content that has access to all or parts of the Document Object Model of the HTTPS page. This type of mixed content can alter the behavior of the HTTPS page and potentially steal sensitive data from the user. Hence, in addition to the risks described for mixed display content above, mixed active content is vulnerable to a few other attack vectors.

+ +

In the mixed active content case, a man-in-the-middle attacker can intercept the request for the HTTP content. The attacker can also rewrite the response to include malicious JavaScript code. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example).

+ +

The risk involved with mixed content does depend on the type of website the user is visiting and how sensitive the data exposed to that site may be. The webpage may have public data visible to the world or private data visible only when authenticated. If the webpage is public and has no sensitive data about the user, using mixed active content still provides the attacker with the opportunity to redirect the user to other HTTP pages and steal HTTP cookies from those sites.

+ +

Active content examples

+ +

This section lists some types of HTTP requests which are considered active content:

+ + + +

Other resource types like web fonts and workers may be considered active mixed content, as they are in Chrome.

+ +

Warnings in Web Console

+ +

The Firefox Web Console displays a mixed content warning message in the Net pane when a page on your website has this issue. The mixed content resource that was loaded via HTTP will show up in red, along with the text "mixed content", which links to this page.

+ +

Screen shot of the web console displaying a mixed content warning.

+ +

As well as finding these warnings in the Web Console, you could use Content Security Policy (CSP) to report issues. You could also use an online crawler like SSL-check or Missing Padlock that will check your website recursively and find links to insecure content.

+ +

Starting in Firefox 23, mixed active content is blocked by default (and mixed display content can be blocked by setting a preference). To make it easier for web developers to find mixed content errors, all blocked mixed content requests are logged to the Security pane of the Web Console, as seen below:

+ +

A screenshot of blocked mixed content errors in the Security Pane of the Web Console

+ +

To fix this type of error, all requests to HTTP content should be removed and replaced with content served over HTTPS. Some common examples of mixed content include JavaScript files, stylesheets, images, videos, and other media.

+ +
+

Note: Since Firefox 55, the loading of mixed content is allowed on http://127.0.0.1/ (see {{bug(903966)}}). Chrome allows mixed content on http://127.0.0.1/ and http://localhost/. Safari does not allow any mixed content.

+
+ +

See also

+ + + +

{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}

-- cgit v1.2.3-54-g00ecf