Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 20:45, 5 January 2016
, 5 January 2016added cheat sheet
(Minor fixes) |
(added cheat sheet) |
||
| Line 374: | Line 374: | ||
X-XSS-Protection: 1; mode=block</pre> | X-XSS-Protection: 1; mode=block</pre> | ||
</div> | </div> | ||
= Web Security Cheat Sheet = | |||
{| class="wikitable" | |||
|- | |||
! Guideline | |||
! Requirements | |||
! Notes | |||
|- | |||
| HTTPS | |||
| Mandatory | |||
| All websites and API endpoints must support HTTPS | |||
|- | |||
| HTTP Strict Transport Security (HSTS) | |||
| Mandatory for all websites | |||
| Minimum allowed time period of six months | |||
|- | |||
| HTTP Redirections | |||
| Mandatory | |||
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | |||
|- | |||
| HTTP Public Key Pinning (HPKP) | |||
| Mandatory for critical risk sites | |||
| Not recommended for most sites | |||
|- | |||
| Content Security Policy (CSP) | |||
| Mandatory for new websites<br>Recommended for existing websites | |||
| Disabling inline script is the highest priority for CSP | |||
|- | |||
| Cookies | |||
| Mandatory | |||
| All cookies must be set with Secure, and as restrictive as possible | |||
|- | |||
| Cross-origin Resource Sharing (CORS) | |||
| Mandatory | |||
| Origin sharing headers and files should not be present, except for specific use cases | |||
|- | |||
| Cross-site Request Forgery (CSRF) Prevention | |||
| Varies | |||
| Mandatory for sites that allow destructive changes<br />Optional for logoff URIs<br>Unnecessary for all other websites. | |||
|- | |||
| robots.txt | |||
| Optional | |||
| Sites that implement robots.txt must only use it for noted purposes | |||
|- | |||
| Subresource Integrity (SRI) | |||
| Mandatory | |||
| Mandatory for all websites that load JavaScript and stylesheets from non-Mozilla sources | |||
|- | |||
| X-Content-Type-Options | |||
| Mandatory for all websites | |||
| Websites should verify that they are setting the proper MIME types for all resources | |||
|- | |||
| X-Frame-Options | |||
| Mandatory for all websites | |||
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | |||
|- | |||
| X-XSS-Protection | |||
| Mandatory for all new websites<br>Recommended for existing websites | |||
| Manual testing should be done for existing websites, prior to implementation | |||
|} | |||