User:Apking/Web Security Guidelines: Difference between revisions

Jump to navigation Jump to search

User:Apking/Web Security Guidelines (view source)

Revision as of 18:53, 5 January 2016

8 bytes added ,  5 January 2016
Minor fixes
(indentation)
(Minor fixes)
Line 128: Line 128:


== Examples ==
== Examples ==
<pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)
Content-Security-Policy: default-src https:</pre>


<pre># Disable the use of unsafe inline/eval, allow everything else
<pre># Disable the use of unsafe inline/eval, allow everything else
Line 134: Line 137:
<pre># Do the same thing, but with a &lt;meta&gt; tag
<pre># Do the same thing, but with a &lt;meta&gt; tag
<meta http-equiv="Content-Security-Policy" content="default-src http: https:"></pre>
<meta http-equiv="Content-Security-Policy" content="default-src http: https:"></pre>
<pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https
Content-Security-Policy: default-src https:</pre>


<pre># Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur
<pre># Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur
Line 237: Line 237:
= CSRF Prevention =
= CSRF Prevention =


Cross-site reference forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inhirit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like like this:
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like like this:


<pre>&lt;!-- Attempt to delete a user's account --&gt;
<pre>&lt;!-- Attempt to delete a user's account --&gt;
Line 327: Line 327:
= X-Content-Type-Options =
= X-Content-Type-Options =


<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and set the appropriate MIME types for files that they serve.
<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve.


== Examples ==
== Examples ==
Apking
Anti-spam team, Confirmed users
99

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1111449"

Navigation menu