1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
---
title: Web security
slug: Web/Security
tags:
- Landing
- NeedsTranslation
- Security
- TopicStub
- Web
translation_of: Web/Security
---
<div class="summary">
<p>Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. <span class="seoSummary">The web security-oriented articles listed here provide information that may help you secure your site and its code from attacks and data theft.</span></p>
</div>
<h2 id="Content_security">Content security</h2>
<dl>
<dt><a href="/en-US/docs/Web/HTTP/CSP">Content security policy (CSP)</a></dt>
<dd><strong>Content Security Policy</strong> ({{Glossary("CSP")}}) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting ({{Glossary("XSS")}}) and data injection attacks. These attacks are used for everything from data theft to site defacement to the distribution of malware.</dd>
</dl>
<h2 id="Connection_security">Connection security</h2>
<dl>
<dt><a href="/en-US/docs/Web/Security/Transport_Layer_Security">Transport security layer (TLS)</a></dt>
<dd>The Transport Layer Security ({{Glossary("TLS")}}) protocol is the standard for enabling two networked applications or devices to exchange information privately and robustly. Applications that use TLS can choose their security parameters, which can have a substantial impact on the security and reliability of data. This article provides an overview of TLS and the kinds of decisions you need to make when securing your content.</dd>
<dt>HTTPS</dt>
<dd><strong>HTTPS</strong> (<strong><em>HyperText Transfer Protocol Secure</em></strong>) is an encrypted version of the <a href="https://developer.mozilla.org/en-US/docs/Glossary/HTTP">HTTP</a> protocol. It uses <a href="https://developer.mozilla.org/en-US/docs/Glossary/SSL">SSL</a> or <a href="https://developer.mozilla.org/en-US/docs/Glossary/TLS">TLS</a> to encrypt all communication between a client and a server. This secure connection allows clients to be sure that they are connected with the intended server, and to exchange sensitive data.</dd>
<dt><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">HTTP Strict-Transport-Security</a></dt>
<dd>The <code>Strict-Transport-Security:</code> <a href="https://wiki.developer.mozilla.org/en/HTTP" title="en/HTTP">HTTP</a> header lets a website specify that it may only be accessed using HTTPS.</dd>
<dt><a href="/en-US/docs/Web/Security/Certificate_Transparency">Certificate Transparency</a></dt>
<dd><strong>Certificate Transparency</strong> is an open framework designed to protect against and monitor for certificate misissuances. Newly issued certificates are 'logged' to publicly run, often independent CT logs which maintain an append-only, cryptographically assured record of issued TLS certificates.</dd>
<dt><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></dt>
<dd>An HTTPS page that includes content fetched using cleartext HTTP is called a <strong>mixed content</strong> page. Pages like this are only partially encrypted, leaving the unencrypted content accessible to sniffers and man-in-the-middle attackers.</dd>
<dt><a href="/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content">How to fix a website with blocked mixed content</a></dt>
<dd>If your website delivers HTTPS pages, all <a href="https://wiki.developer.mozilla.org/en-US/docs/Security/MixedContent#Mixed_active_content" title="/en-US/docs/Security/MixedContent#Mixed_active_content">active mixed content</a> delivered via HTTP on these pages will be blocked by default. Consequently, your website may appear broken to users (if iframes or plugins don't load, etc.). <a href="https://wiki.developer.mozilla.org/en-US/docs/Security/MixedContent#Mixed_passivedisplay_content" title="/en-US/docs/Security/MixedContent#Mixed_passive.2Fdisplay_content">Passive mixed content</a> is displayed by default, but users can set a preference to block this type of content, as well. This page explains what you should be aware of as a web developer.</dd>
<dt><a href="/en-US/docs/Web/Security/Secure_Contexts">Secure contexts</a></dt>
<dd>A <strong>secure context</strong> is a <code>Window</code> or <code>Worker</code> for which there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are <strong>not</strong> secure is limited. Many Web APIs and features are accessible only in a secure context. The primary goal of secure contexts is to prevent <a class="external external-icon" href="https://en.wikipedia.org/wiki/man-in-the-middle attack" rel="noopener" title="man-in-the-middle attackers">man-in-the-middle attackers</a> from accessing powerful APIs that could further compromise the victim of an attack.</dd>
<dt><a href="/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts">Features restricted to secure contexts</a></dt>
<dd>This reference lists the web platform features available only in secure contexts.</dd>
<dt><a href="/en-US/docs/Web/Security/Weak_Signature_Algorithm">Weak signature algorithms</a></dt>
<dd>The strength of the hash algorithm used in <a class="glossaryLink" href="https://wiki.developer.mozilla.org/en-US/docs/Glossary/Signature/Security" title="signing: A signature, or digital signature, is a protocol showing that a message is authentic.">signing</a> a <a class="glossaryLink" href="https://wiki.developer.mozilla.org/en-US/docs/Glossary/Digital_certificate" title="digital certificate: A digital certificate is a data file that binds a publicly known cryptographic key to an organization.">digital certificate</a> is a critical element of the security of the certificate. This article provides some information about signature algorithms known to be weak, so you can avoid them when appropriate.</dd>
<dt>Redirection with 301 and 302 response codes</dt>
<dd>to be written</dd>
</dl>
<h2 id="Data_security">Data security</h2>
<dl>
<dt><a href="/en-US/docs/Web/HTTP/Cookies">Using HTTP Cookies</a></dt>
<dd>An <dfn>HTTP cookie</dfn> (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with later requests to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example.</dd>
<dt><a href="/en-US/docs/Web/API/Web_Storage_API/Local_storage">Local storage</a></dt>
<dd>The <code>Window</code> object's <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/API/Window/localStorage" title="The read-only localStorage property allows you to access a Storage object for the Document's origin; the stored data is saved across browser sessions."><code>Window.localStorage</code></a> property is a way for servers to store data on a client that is persistent across sessions.</dd>
</dl>
<h2 id="Information_leakage">Information leakage</h2>
<dl>
<dt><a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header policy: privacy and security concerns</a></dt>
<dd>There are privacy and security risks associated with the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer">Referer HTTP header</a>. This article describes them and offers advice on mitigating those risks.</dd>
<dt>Robots.txt</dt>
<dd>to be written</dd>
<dt>Site maps</dt>
<dd>to be written</dd>
</dl>
<h2 id="Integrity">Integrity</h2>
<dl>
<dt><a href="/en-US/docs/Web/Security/Same-origin_policy">Same-origin policy</a></dt>
<dd>The <strong>same-origin policy</strong> is a critical security mechanism that restricts how a document or script loaded from one <a href="https://developer.mozilla.org/en-US/docs/Glossary/origin">origin</a> can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.</dd>
<dt><a href="/en-US/docs/Web/Security/Subresource_Integrity">Subresource integrity</a></dt>
<dd><strong>Subresource Integrity</strong> (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a <a href="https://developer.mozilla.org/en-US/docs/Glossary/CDN">CDN</a>) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.</dd>
<dt><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin">HTTP Access-Control-Allow-Origin</a></dt>
<dd>The <code><strong>Access-Control-Allow-Origin</strong></code> response header indicates whether the response can be shared with requesting code from the given <a href="https://developer.mozilla.org/en-US/docs/Glossary/origin">origin</a>.</dd>
<dt><a href="/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options">HTTP X-Content-Type-Options</a></dt>
<dd>
<p>The <code><strong>X-Content-Type-Options</strong></code> response HTTP header is a marker used by the server to indicate that the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types">MIME types</a> advertised in the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type" title="The Content-Type entity header is used to indicate the media type of the resource."><code>Content-Type</code></a> headers should not be changed and be followed. This is a way to opt-out of <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types#MIME_sniffing">MIME type sniffing</a>, or, in other words, to say that the MIME types are deliberately configured.</p>
</dd>
</dl>
<h2 id="Clickjacking_protection">Clickjacking protection</h2>
<p id="sect1">In clickjacking, a user is fooled into clicking on a UI element that performs some action other than what the user expects. </p>
<dl>
<dt><a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options">HTTP X-Frame-Options</a></dt>
<dd>The <strong><code>X-Frame-Options</code></strong> <a href="https://developer.mozilla.org/en-US/docs/Web/HTTP">HTTP</a> response header can be used to indicate whether or not a browser should be allowed to render a page in a <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frame" title="<frame> is an HTML element which defines a particular area in which another HTML document can be displayed. A frame should be used within a <frameset>."><code><frame></code></a>, <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe" title="The HTML Inline Frame element (<iframe>) represents a nested browsing context, embedding another HTML page into the current one."><code><iframe></code></a>, <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/embed" title="The HTML <embed> element embeds external content at the specified point in the document. This content is provided by an external application or other source of interactive content such as a browser plug-in."><code><embed></code></a> or <a href="https://developer.mozilla.org/en-US/docs/Web/HTML/Element/object" title="The HTML <object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin."><code><object></code></a>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.</dd>
<dt><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors">CSP: frame-ancestors</a></dt>
<dd>The HTTP <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy" title="The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (XSS)."><code>Content-Security-Policy</code></a> (CSP) <code><strong>frame-ancestors</strong></code> directive specifies valid parents that may embed a page using <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/frame" title="<frame> is an HTML element which defines a particular area in which another HTML document can be displayed. A frame should be used within a <frameset>."><code><frame></code></a>, <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe" title="The HTML Inline Frame element (<iframe>) represents a nested browsing context, embedding another HTML page into the current one."><code><iframe></code></a>, <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/object" title="The HTML <object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin."><code><object></code></a>, <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/embed" title="The HTML <embed> element embeds external content at the specified point in the document. This content is provided by an external application or other source of interactive content such as a browser plug-in."><code><embed></code></a>, or <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/HTML/Element/applet" title="The obsolete HTML Applet Element (<applet>) embeds a Java applet into the document; this element has been deprecated in favor of <object>."><code><applet></code></a>.</dd>
</dl>
<h2 id="User_information_security">User information security</h2>
<dl>
<dt><a href="/en-US/docs/Web/Security/Insecure_passwords">Insecure passwords</a></dt>
<dd>Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit.</dd>
<dt><a href="/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector">Privacy and the :visited selector</a></dt>
<dd>Before about 2010, the <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/CSS">CSS</a> <a href="https://wiki.developer.mozilla.org/en-US/docs/Web/CSS/:visited" title="The :visited CSS pseudo-class represents links that the user has already visited. For privacy reasons, the styles that can be modified using this selector are very limited."><code>:visited</code></a> selector allowed websites to uncover a user's browsing history and figure out what sites the user had visited. To mitigate this problem, browsers have limited the amount of information that can be obtained from visited links.</dd>
</dl>
<h2 id="Security-related_glossary_terms">Security-related glossary terms</h2>
<div class="twocolumns">
<ul>
<li>
<p>{{Glossary("Block cipher mode of operation")}}</p>
</li>
<li>
<p>{{Glossary("Certificate authority")}}</p>
</li>
<li>
<p>{{Glossary("challenge", "Challenge-response authentication")}}</p>
</li>
<li>
<p>{{Glossary("Cipher")}}</p>
</li>
<li>
<p>{{Glossary("Cipher suite")}}</p>
</li>
<li>
<p>{{Glossary("Ciphertext")}}</p>
</li>
<li>
<p>{{Glossary("CORS")}}</p>
</li>
<li>
<p>{{Glossary("CORS-safelisted request header")}}</p>
</li>
<li>
<p>{{Glossary("CORS-safelisted response header")}}</p>
</li>
<li>
<p>{{Glossary("Cross-site scripting")}}</p>
</li>
<li>
<p>{{Glossary("Cryptanalysis")}}</p>
</li>
<li>
<p>{{Glossary("Cryptographic hash function")}}</p>
</li>
<li>
<p>{{Glossary("Cryptography")}}</p>
</li>
<li>
<p>{{Glossary("CSP")}}</p>
</li>
<li>
<p>{{Glossary("CSRF")}}</p>
</li>
<li>
<p>{{Glossary("Decryption")}}</p>
</li>
<li>
<p>{{Glossary("Digital certificate")}}</p>
</li>
<li>
<p>{{Glossary("DTLS")}}</p>
</li>
<li>
<p>{{Glossary("Encryption")}}</p>
</li>
<li>
<p>{{Glossary("Forbidden header name")}}</p>
</li>
<li>
<p>{{Glossary("Forbidden response header name")}}</p>
</li>
<li>
<p>{{Glossary("Hash")}}</p>
</li>
<li>
<p>{{Glossary("HMAC")}}</p>
</li>
<li>
<p>{{Glossary("HPKP")}}</p>
</li>
<li>
<p>{{Glossary("HSTS")}}</p>
</li>
<li>
<p>{{Glossary("HTTPS")}}</p>
</li>
<li>
<p>{{Glossary("Key")}}</p>
</li>
<li>
<p>{{Glossary("MitM")}}</p>
</li>
<li>
<p>{{Glossary("OWASP")}}</p>
</li>
<li>
<p>{{Glossary("Preflight request")}}</p>
</li>
<li>
<p>{{Glossary("Public-key cryptography")}}</p>
</li>
<li>
<p>{{Glossary("Reporting directive")}}</p>
</li>
<li>
<p>{{Glossary("Robots.txt")}}</p>
</li>
<li>
<p>{{Glossary("Same-origin policy")}}</p>
</li>
<li>
<p>{{Glossary("Session hijacking")}}</p>
</li>
<li>
<p>{{Glossary("SQL injection")}}</p>
</li>
<li>
<p>{{Glossary("Symmetric-key cryptography")}}</p>
</li>
<li>
<p>{{Glossary("TOFU")}}</p>
</li>
</ul>
<ul>
<li>
<p>{{Glossary("TLS")}}</p>
</li>
</ul>
</div>
<h2 id="See_also">See also</h2>
<ul>
<li><a href="https://lists.mozilla.org/listinfo/dev-security">Mozilla security mailing list</a></li>
<li><a href="https://blog.mozilla.com/security/">Security Blog</a></li>
<li><a href="https://twitter.com/mozsec">@mozsec on Twitter</a></li>
</ul>
<p>{{QuickLinksWithSubpages}}</p>
|