<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://wiki.mozilla.org/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Apking</id>
	<title>MozillaWiki - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://wiki.mozilla.org/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Apking"/>
	<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/Special:Contributions/Apking"/>
	<updated>2026-07-09T16:15:27Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.39.10</generator>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=SecurityEngineering/Public_Key_Pinning/ReleaseEngineering&amp;diff=1245860</id>
		<title>SecurityEngineering/Public Key Pinning/ReleaseEngineering</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=SecurityEngineering/Public_Key_Pinning/ReleaseEngineering&amp;diff=1245860"/>
		<updated>2023-03-20T16:14:00Z</updated>

		<summary type="html">&lt;p&gt;Apking: Adding full name because why not.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Whom to contact in case of emergency ==&lt;br /&gt;
* Mozilla: pinning@mozilla.org, seceng@mozilla.org, or security@mozilla.org (last resort)&lt;br /&gt;
* Twitter: &#039;&#039;need contact, Neil&#039;s not at Twitter&#039;&#039; &amp;lt;s&amp;gt;Neil Matatall&amp;lt;/s&amp;gt;&lt;br /&gt;
* Google: pki-contact@google.com or agl or security@google.com (last resort)&lt;br /&gt;
* Dropbox: April King (aprilking@dropbox.com)&lt;br /&gt;
* Facebook: Scott Renfro (srenfro@fb.com)&lt;br /&gt;
&lt;br /&gt;
== Implementation status ==&lt;br /&gt;
Pinning is enabled by default in Nightly 32.&lt;br /&gt;
&lt;br /&gt;
== What critical Mozilla properties are we planning to pin? ==&lt;br /&gt;
* AMO&lt;br /&gt;
* aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves.&lt;br /&gt;
&lt;br /&gt;
== How to rollback pinning for Firefox ==&lt;br /&gt;
Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can&lt;br /&gt;
# Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible.&lt;br /&gt;
# Push a chemspill. In case pinning breaks aus4, this will not be possible.&lt;br /&gt;
# {{bug|1012875}} Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly.&lt;br /&gt;
&lt;br /&gt;
== How long do updates take? ==&lt;br /&gt;
* Hotfix: almost all users in 2 days&lt;br /&gt;
* Chemspill: unknown&lt;br /&gt;
* Fennec (Google play): Majority users in 2 days&lt;br /&gt;
&lt;br /&gt;
== What about other platforms besides desktop? ==&lt;br /&gt;
&lt;br /&gt;
In {{bug|1012882}}, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec.&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=SecurityEngineering/Public_Key_Pinning/ReleaseEngineering&amp;diff=1245859</id>
		<title>SecurityEngineering/Public Key Pinning/ReleaseEngineering</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=SecurityEngineering/Public_Key_Pinning/ReleaseEngineering&amp;diff=1245859"/>
		<updated>2023-03-20T16:13:36Z</updated>

		<summary type="html">&lt;p&gt;Apking: Update Dropbox contact to April King, as Anton hasn&amp;#039;t worked for Dropbox since 2017.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== Whom to contact in case of emergency ==&lt;br /&gt;
* Mozilla: pinning@mozilla.org, seceng@mozilla.org, or security@mozilla.org (last resort)&lt;br /&gt;
* Twitter: &#039;&#039;need contact, Neil&#039;s not at Twitter&#039;&#039; &amp;lt;s&amp;gt;Neil Matatall&amp;lt;/s&amp;gt;&lt;br /&gt;
* Google: pki-contact@google.com or agl or security@google.com (last resort)&lt;br /&gt;
* Dropbox: aprilking@dropbox.com&lt;br /&gt;
* Facebook: Scott Renfro (srenfro@fb.com)&lt;br /&gt;
&lt;br /&gt;
== Implementation status ==&lt;br /&gt;
Pinning is enabled by default in Nightly 32.&lt;br /&gt;
&lt;br /&gt;
== What critical Mozilla properties are we planning to pin? ==&lt;br /&gt;
* AMO&lt;br /&gt;
* aus4 is under question. We have a meeting with rstrong to discuss what, if any, benefits pinning provides over verifying the signature on the actual binaries and requiring those come from a known issuer. The drawback of pinning the updater is that we may break ourselves.&lt;br /&gt;
&lt;br /&gt;
== How to rollback pinning for Firefox ==&lt;br /&gt;
Pinning is controlled by a preference, security.cert_pinning.enforcement_level. To disable pinning, set this pref to 0. In case of emergency, we can&lt;br /&gt;
# Push a hotfix to disable the pinning pref. In case pinning breaks AMO, this will not be possible.&lt;br /&gt;
# Push a chemspill. In case pinning breaks aus4, this will not be possible.&lt;br /&gt;
# {{bug|1012875}} Wait 8 or 10 weeks until the pinset expires once it reaches stable, during which time users will not be able to reach sites that are pinned incorrectly.&lt;br /&gt;
&lt;br /&gt;
== How long do updates take? ==&lt;br /&gt;
* Hotfix: almost all users in 2 days&lt;br /&gt;
* Chemspill: unknown&lt;br /&gt;
* Fennec (Google play): Majority users in 2 days&lt;br /&gt;
&lt;br /&gt;
== What about other platforms besides desktop? ==&lt;br /&gt;
&lt;br /&gt;
In {{bug|1012882}}, we decided to not pin on b2g right now, and (maybe) to wait for a couple of cycles to pin on Fennec.&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1229478</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1229478"/>
		<updated>2020-07-24T17:48:21Z</updated>

		<summary type="html">&lt;p&gt;Apking: Fix pointer to latest JSON file&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;366 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** Administrators needing to provide access to [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&amp;amp;version=11&amp;amp;platform=Win%207&amp;amp;key=36 IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add &amp;lt;tt&amp;gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&amp;lt;/tt&amp;gt;&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;366 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://ssl-config.mozilla.org/guidelines/5.6.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://ssl-config.mozilla.org/guidelines/latest.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://ssl-config.mozilla.org/guidelines/5.6.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Update certificate lifespan to reflect browser policy changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Bump links to point to 5.3 guidelines, since it fixes a small JSON error&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Add note about IE 11 on Windows Server 2008 R2&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1229400</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1229400"/>
		<updated>2020-07-22T15:55:11Z</updated>

		<summary type="html">&lt;p&gt;Apking: Update certificate lifespans&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligible improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;366 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** Administrators needing to provide access to [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&amp;amp;version=11&amp;amp;platform=Win%207&amp;amp;key=36 IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add &amp;lt;tt&amp;gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&amp;lt;/tt&amp;gt;&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;366 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://ssl-config.mozilla.org/guidelines/5.3.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://ssl-config.mozilla.org/guidelines/latest.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://ssl-config.mozilla.org/guidelines/5.3.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Update certificate lifespan to reflect browser policy changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Bump links to point to 5.3 guidelines, since it fixes a small JSON error&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Add note about IE 11 on Windows Server 2008 R2&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1221778</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1221778"/>
		<updated>2020-01-02T19:32:56Z</updated>

		<summary type="html">&lt;p&gt;Apking: Update to 5.3, point to ssl-config.mozilla.org&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** Administrators needing to provide access to [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&amp;amp;version=11&amp;amp;platform=Win%207&amp;amp;key=36 IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add &amp;lt;tt&amp;gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&amp;lt;/tt&amp;gt;&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://ssl-config.mozilla.org/guidelines/5.3.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://ssl-config.mozilla.org/guidelines/latest.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://ssl-config.mozilla.org/guidelines/5.3.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Bump links to point to 5.3 guidelines, since it fixes a small JSON error&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Add note about IE 11 on Windows Server 2008 R2&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1218474</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1218474"/>
		<updated>2019-09-30T18:07:03Z</updated>

		<summary type="html">&lt;p&gt;Apking: Minor note about IE11 on Windows 2008R2&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** Administrators needing to provide access to [https://www.ssllabs.com/ssltest/viewClient.html?name=IE&amp;amp;version=11&amp;amp;platform=Win%207&amp;amp;key=36 IE 11 on Windows Server 2008 R2] and who are unable to switch to or add ECDSA certificates can add &amp;lt;tt&amp;gt;TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&amp;lt;/tt&amp;gt;&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://statics.tls.security.mozilla.org/server-side-tls-conf.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Add note about IE 11 on Windows Server 2008 R2&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Atoll_test_20180813&amp;diff=1216443</id>
		<title>Atoll test 20180813</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Atoll_test_20180813&amp;diff=1216443"/>
		<updated>2019-08-13T19:33:14Z</updated>

		<summary type="html">&lt;p&gt;Apking: Test to verify stuff&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Temporary testing content to verify operational changes to Wikimo.&lt;br /&gt;
&lt;br /&gt;
Hey there! &amp;lt;3&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1215427</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1215427"/>
		<updated>2019-07-22T17:18:48Z</updated>

		<summary type="html">&lt;p&gt;Apking: Remove &amp;quot;Intermediate&amp;quot; from ordering notice&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://statics.tls.security.mozilla.org/server-side-tls-conf.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/TLS_Configurations&amp;diff=1214438</id>
		<title>Security/TLS Configurations</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/TLS_Configurations&amp;diff=1214438"/>
		<updated>2019-07-01T19:24:54Z</updated>

		<summary type="html">&lt;p&gt;Apking: This page is old and has bad data.  :)&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;#REDIRECT [[Security/Server Side TLS]]&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1214405</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1214405"/>
		<updated>2019-07-01T15:41:31Z</updated>

		<summary type="html">&lt;p&gt;Apking: Rollback to using statics, now that the file has been deployed.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt; and &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configurations is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://statics.tls.security.mozilla.org/server-side-tls-conf.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1214404</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1214404"/>
		<updated>2019-07-01T15:30:24Z</updated>

		<summary type="html">&lt;p&gt;Apking: Temporarily point the statics links to GitHub&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt; and &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configurations is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://raw.githubusercontent.com/mozilla/server-side-tls/gh-pages/json/server-side-tls-conf-5.0.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://raw.githubusercontent.com/mozilla/server-side-tls/gh-pages/json/server-side-tls-conf.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1214313</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1214313"/>
		<updated>2019-06-28T15:57:19Z</updated>

		<summary type="html">&lt;p&gt;Apking: Server Side TLS 5.0  :D&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; max-width: 60em; padding-left: .75rem;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a [https://ssl-config.mozilla.org configuration generator] to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls server-side-tls] repository on GitHub. Issues related to the [https://ssl-config.mozilla.org configuration generator] are maintained in their own [https://github.com/mozilla/ssl-config-generator GitHub repository].&lt;br /&gt;
&lt;br /&gt;
In the interests of usability and maintainability, these guidelines have been considerably simplified from the [[Security/Archive/Server Side TLS 4.0|previous guidelines]].&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; max-width: 600px; text-align: center;&amp;quot;&amp;gt;&lt;br /&gt;
[[Image:Ssl-config.mozilla.org.png|600px|link=https://ssl-config.mozilla.org/|Mozilla SSL Configuration Generator]]&amp;lt;br&amp;gt;&lt;br /&gt;
The [https://ssl-config.mozilla.org/ Mozilla SSL Configuration Generator]&lt;br /&gt;
&amp;lt;/span&amp;gt;&lt;br /&gt;
Mozilla maintains three recommended configurations for servers using TLS. Pick the correct configuration depending on your audience:&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Modern clients that support TLS 1.3, with no need for backwards compatibility&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Recommended configuration for a general-purpose server&lt;br /&gt;
* &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;&#039;&#039;&#039;:&#039;&#039;&#039; Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;margin: 1.5rem 1rem;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Firefox&lt;br /&gt;
! Android&lt;br /&gt;
! Chrome&lt;br /&gt;
! Edge&lt;br /&gt;
! Internet Explorer&lt;br /&gt;
! Java&lt;br /&gt;
! OpenSSL&lt;br /&gt;
! Opera&lt;br /&gt;
! Safari&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color: green;&amp;quot; | &#039;&#039;&#039;Modern&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12.1&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:orange;&amp;quot; | &#039;&#039;&#039;Intermediate&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11 (Win7)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8u31&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;color:gray;&amp;quot; | &#039;&#039;&#039;Old&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8 (WinXP)&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 0.9.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;The ordering of cipher suites in the &amp;lt;span style=&amp;quot;color: orange; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt; and &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configurations is very important, as it determines the priority with which algorithms are selected.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;OpenSSL will ignore cipher suites it doesn&#039;t understand, so always use the full set of cipher suites below, in their recommended order. The use of the &amp;lt;span style=&amp;quot;color: gray; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt; configuration with modern versions of OpenSSL may require custom builds with support for deprecated ciphers.&amp;lt;/p&amp;gt;&lt;br /&gt;
&amp;lt;br style=&amp;quot;clear: right;&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services with clients that support TLS 1.3 and don&#039;t need backward compatibility, the &amp;lt;span style=&amp;quot;color: green; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt; configuration provides an extremely high level of security.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): (none)&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384        TLSv1.3  Kx=any  Au=any  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256  TLSv1.3  Kx=any  Au=any  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** We recommend ECDSA certificates using P-256, as P-384 provides negligable improvements to security and Ed25519 is not yet widely supported&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (recommended) ==&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;For services that don&#039;t need compatibility with legacy clients, such as Windows XP or old versions of OpenSSL. This is the recommended configuration for the vast majority of services, as it is highly secure and compatible with nearly every client released in the last five (or more) years.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA (P-256)&#039;&#039;&#039; (recommended), or &#039;&#039;&#039;RSA (2048 bits)&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039; (ffdhe2048, [https://tools.ietf.org/html/rfc7919#appendix-A.1 RFC 7919])&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;client chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** All cipher suites are [https://en.wikipedia.org/wiki/Forward_secrecy forward secret] and [https://en.wikipedia.org/wiki/Authenticated_encryption authenticated]&lt;br /&gt;
** TLS 1.2 is the minimum supported protocol, as recommended by [https://tools.ietf.org/html/rfc7525#section-3.1.1 RFC 7525], PCI DSS, and others&lt;br /&gt;
** ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11&lt;br /&gt;
** The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES&lt;br /&gt;
** Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers&lt;br /&gt;
** While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)&lt;br /&gt;
** 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This configuration is compatible with a number of very old clients, and should be used only as a last resort.&lt;br /&gt;
&lt;br /&gt;
* Cipher suites (TLS 1.3): &#039;&#039;&#039;TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256&#039;&#039;&#039;&lt;br /&gt;
* Cipher suites (TLS 1.0 - 1.2): &#039;&#039;&#039;ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA&#039;&#039;&#039;&lt;br /&gt;
* Protocols: &#039;&#039;&#039;TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;X25519, prime256v1, secp384r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA (2048-bits)&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* DH parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039; (generated with &amp;lt;tt&amp;gt;openssl dhparam 1024&amp;lt;/tt&amp;gt;)&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=63072000&#039;&#039;&#039; (two years)&lt;br /&gt;
* Maximum certificate lifespan: &#039;&#039;&#039;90 days&#039;&#039;&#039; (recommended) to &#039;&#039;&#039;2 years&#039;&#039;&#039;&lt;br /&gt;
* Cipher preference: &#039;&#039;&#039;server chooses&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0x13,0x01  -  TLS_AES_128_GCM_SHA256         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x13,0x02  -  TLS_AES_256_GCM_SHA384         TLSv1.3  Kx=any   Au=any    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x13,0x03  -  TLS_CHACHA20_POLY1305_SHA256   TLSv1.3  Kx=any   Au=any    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0xCC,0xAA  -  DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)             Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)             Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)                Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)                Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)               Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
* Rationale:&lt;br /&gt;
** Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only&lt;br /&gt;
** If possible, use this configuration only for endpoints that require it, segregating it from other traffic&lt;br /&gt;
** SSLv3 has been disabled entirely, ending support for older Windows XP SP2 clients. Users requiring support for Windows XP SP2 may use [[Security/Archive/Server Side TLS 4.0|previous versions]] of this configuration, with the caveat that SSLv3 is no longer safe to use&lt;br /&gt;
** This configuration requires custom builds to work with modern versions of OpenSSL, using &amp;lt;tt&amp;gt;enable-ssl3&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-ssl3-method&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;enable-deprecated&amp;lt;/tt&amp;gt;, and &amp;lt;tt&amp;gt;enable-weak-ssl-ciphers&amp;lt;/tt&amp;gt;&lt;br /&gt;
** Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;Mozilla also maintains [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json these recommendations] in JSON format, for automated system configuration. This location is versioned and permanent, and can be referenced in scripts and tools. The file will not change, to avoid breaking tools when we update the recommendations.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;max-width: 60em;&amp;quot;&amp;gt;We also maintain a [https://statics.tls.security.mozilla.org/server-side-tls-conf.json rolling version] of these recommendations, with the caveat that they may change &#039;&#039;&#039;without warning&#039;&#039;&#039; and &#039;&#039;&#039;without providing backwards compatibility&#039;&#039;&#039;. As it may break things if you use it to automatically configure your servers without review, we recommend you use the [https://statics.tls.security.mozilla.org/server-side-tls-conf-5.0.json version-specific file] instead.&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Server Side TLS 5.0&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=File:Ssl-config.mozilla.org.png&amp;diff=1214185</id>
		<title>File:Ssl-config.mozilla.org.png</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=File:Ssl-config.mozilla.org.png&amp;diff=1214185"/>
		<updated>2019-06-25T19:36:57Z</updated>

		<summary type="html">&lt;p&gt;Apking: Updated version of the SSL Configuration Generator.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Updated version of the SSL Configuration Generator.&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Archive/Server_Side_TLS_4.0&amp;diff=1214184</id>
		<title>Security/Archive/Server Side TLS 4.0</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Archive/Server_Side_TLS_4.0&amp;diff=1214184"/>
		<updated>2019-06-25T19:32:06Z</updated>

		<summary type="html">&lt;p&gt;Apking: Bolded top line&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; padding-left: 1em;&amp;quot;&amp;gt;&#039;&#039;&#039;Please note that this document is deprecated, and administrators should use the [[Security/Server Side TLS|maintained version of these guidelines]]&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls source repository on github].&lt;br /&gt;
&lt;br /&gt;
If you are looking for the configuration generator, click the image below:&amp;lt;br /&amp;gt;&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|500px|center|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
Three configurations are recommended. Pick the right configuration depending on your audience. If you do not need backward compatibility, and are building a service for modern clients only (post Firefox 27/Chrome 22), then use the Modern configuration. Otherwise, prefer the Intermediate configuration. Use the Old backward compatible configuration only if your service will be accessed by very old clients, such as Windows XP IE6, or ancient libraries &amp;amp; bots.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration !! Oldest compatible client&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Windows XP IE6, Java 6&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL. If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite and let OpenSSL pick the ones it supports.&lt;br /&gt;
&lt;br /&gt;
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. Each level shows the list of algorithms returned by its ciphersuite. If you have to pick ciphers manually for your application, make sure you keep the ordering.&lt;br /&gt;
&lt;br /&gt;
The ciphersuite numbers listed come from the IANA [https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 TLS Cipher Suite Registry]. Previous versions of these recommendations included draft numbers for ECDHE-ECDSA-CHACHA20-POLY1305 (0xCC,0x14) and ECDHE-RSA-CHACHA20-POLY1305 (0xCC,0x13).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services that don&#039;t need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039; (if not ecdsa)&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;None&#039;&#039;&#039; (disabled entirely)&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES. &lt;br /&gt;
* We recommend ECDSA certificates with P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.&lt;br /&gt;
* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.&lt;br /&gt;
* SHA1 signature algorithm is removed in favor of SHA384 for AES256 and SHA256 for AES128.&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (default) ==&lt;br /&gt;
For services that don&#039;t need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA       SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA         SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA           SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* ChaCha20 is prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.&lt;br /&gt;
* DES-CBC3-SHA and EDH-RSA-DES-CBC3-SHA are maintained for backward compatibility with clients that do not support AES.&lt;br /&gt;
* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1, SSLv3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;sha1WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x40  -  DHE-DSS-AES128-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x38  -  DHE-DSS-AES256-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x6A  -  DHE-DSS-AES256-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x32  -  DHE-DSS-AES128-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                    SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9A  -  DHE-RSA-SEED-SHA                SSLv3    Kx=DH    Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0x00,0x99  -  DHE-DSS-SEED-SHA                SSLv3    Kx=DH    Au=DSS    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0xCC,0x15  -  DHE-RSA-CHACHA20-POLY1305       TLSv1.2  Kx=DH    Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x77  -  ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0xC0,0x73  -  ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0x00,0xC4  -  DHE-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0xC3  -  DHE-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0xC0  -  CAMELLIA256-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x84  -  CAMELLIA256-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0xC0,0x76  -  ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0xC0,0x72  -  ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBE  -  DHE-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBD  -  DHE-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0xBA  -  CAMELLIA128-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x41  -  CAMELLIA128-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x96  -  SEED-SHA                        SSLv3    Kx=RSA   Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.&lt;br /&gt;
* SSLv3 is enabled to support WinXP SP2 clients on IE.&lt;br /&gt;
* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients, and SHA256 certs to all others. More information in the &amp;quot;Certificates Switching&amp;quot; section later in this document.&lt;br /&gt;
* Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
You can find the recommendations above in JSON format at the address [https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json].&lt;br /&gt;
&lt;br /&gt;
This location is permanent and can be referenced in scripts and tools. The file is versioned and will not change, to avoid breaking tools when we update the recommendations.&lt;br /&gt;
&lt;br /&gt;
If you wish to point to the latest version of the recommendations, use this address: [[https://statics.tls.security.mozilla.org/server-side-tls-conf.json https://statics.tls.security.mozilla.org/server-side-tls-conf.json].&lt;br /&gt;
Be advised the above will always point to the latest version and &#039;&#039;&#039;will not provide backward compatibility&#039;&#039;&#039;.&lt;br /&gt;
If you use it to automatically configure your servers without review, it may break things. Prefer the version-specific files instead.&lt;br /&gt;
&lt;br /&gt;
== Previous versions ==&lt;br /&gt;
&lt;br /&gt;
* None&lt;br /&gt;
&lt;br /&gt;
= Mandatory discards =&lt;br /&gt;
&lt;br /&gt;
* aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks&lt;br /&gt;
* eNULL contains null-encryption ciphers (cleartext)&lt;br /&gt;
* EXPORT are legacy weak ciphers that were marked as exportable by US law&lt;br /&gt;
* RC4 contains ciphers that use the deprecated ARCFOUR algorithm&lt;br /&gt;
* DES contains ciphers that use the deprecated Data Encryption Standard&lt;br /&gt;
* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated&lt;br /&gt;
* MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm&lt;br /&gt;
&lt;br /&gt;
= Forward Secrecy =&lt;br /&gt;
&lt;br /&gt;
The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.&lt;br /&gt;
&lt;br /&gt;
With Forward Secrecy, if an attacker gets a hold of the server&#039;s private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.&lt;br /&gt;
&lt;br /&gt;
== DHE handshake and dhparam ==&lt;br /&gt;
&lt;br /&gt;
When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.&lt;br /&gt;
&lt;br /&gt;
As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:&lt;br /&gt;
[[File:Dhe_params.png|frame|server key exchange message as displayed in Wireshark]]&lt;br /&gt;
[[File:Dhe_client_params.png|frame|client key exchange message as displayed in Wireshark]]&lt;br /&gt;
# Server sends Client a [http://tools.ietf.org/html/rfc5246#section-7.4.3 SERVER KEY EXCHANGE] message during the SSL Handshake. The message contains:&lt;br /&gt;
## Prime number &#039;&#039;p&#039;&#039;&lt;br /&gt;
## Generator &#039;&#039;g&#039;&#039;&lt;br /&gt;
## Server&#039;s Diffie-Hellman public value &#039;&#039;A = g^X mod p&#039;&#039;, where &#039;&#039;X&#039;&#039; is a private integer chosen by the server at random, and never shared with the client. (note: A is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
## signature &#039;&#039;S&#039;&#039; of the above (plus two random values) computed using the Server&#039;s private RSA key&lt;br /&gt;
# Client verifies the signature &#039;&#039;S&#039;&#039;&lt;br /&gt;
# Client sends server a [http://tools.ietf.org/html/rfc5246#section-7.4.7 CLIENT KEY EXCHANGE] message. The message contains:&lt;br /&gt;
## Client&#039;s Diffie-Hellman public value &#039;&#039;B = g^Y mod p&#039;&#039;, where &#039;&#039;Y&#039;&#039; is a private integer chosen at random and never shared. (note: B is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
# The Server and the Client can now calculate the pre-master secret using each other&#039;s public values:&lt;br /&gt;
## server calculates &#039;&#039;PMS = B^X mod p&#039;&#039;&lt;br /&gt;
## client calculates &#039;&#039;PMS = A^Y mod p&#039;&#039;&lt;br /&gt;
# Client sends a [http://tools.ietf.org/html/rfc5246#section-7.1 CHANGE CIPHER SPEC] message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES&lt;br /&gt;
&lt;br /&gt;
The size of the prime number &#039;&#039;p&#039;&#039; constrains the size of the pre-master key &#039;&#039;PMS&#039;&#039;, because of the modulo operation. A smaller prime almost means weaker values of &#039;&#039;A&#039;&#039; and &#039;&#039;B&#039;&#039;, which could leak the secret values &#039;&#039;X&#039;&#039; and &#039;&#039;Y&#039;&#039;. Thus, the prime &#039;&#039;p&#039;&#039; should not be smaller than the size of the RSA private key.&lt;br /&gt;
&lt;br /&gt;
== Pre-defined DHE groups ==&lt;br /&gt;
&lt;br /&gt;
Instead of using pre-configured DH groups, or generating their own with &amp;quot;openssl dhparam&amp;quot;, operators should use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919].  These groups are audited and may be more resistant to attacks than ones randomly generated.&lt;br /&gt;
&lt;br /&gt;
Note: if you must support old Java clients, Dh groups larger than 1024 bits may block connectivity (see [[#DHE_and_Java]]).&lt;br /&gt;
&lt;br /&gt;
=== ffdhe2048 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe3072 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu&lt;br /&gt;
N///////////AgEC&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe4096 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e&lt;br /&gt;
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx&lt;br /&gt;
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K&lt;br /&gt;
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== DHE and ECDHE support ==&lt;br /&gt;
Most modern clients that support both ECDHE and DHE typically prefer the former, because ECDHE provides faster handshakes than DHE ([http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html]).&lt;br /&gt;
&lt;br /&gt;
Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:&lt;br /&gt;
* Android &amp;lt; 3.0.0&lt;br /&gt;
* Java &amp;lt; 7&lt;br /&gt;
* OpenSSL &amp;lt; 1.0.0&lt;br /&gt;
&lt;br /&gt;
Note that schannel on Windows XP technically support DHE, but only with DSA keys, making it unusable on the internet in practice.&lt;br /&gt;
&lt;br /&gt;
== DHE and Java ==&lt;br /&gt;
Java 6 and 7 do not support Diffie-Hellman parameters larger than 1024 bits. If your server expects to receive connections from java 6 clients and wants to enable PFS, it must provide a DHE parameter of 1024 bits.&lt;br /&gt;
&lt;br /&gt;
If keeping the compatibility with Java &amp;lt; 7 is a necessity, thus preventing the use of large DH keys, three solutions are available:&lt;br /&gt;
* using custom 1024-bit DH parameters, different from Oakley group 2, preferably generated with &#039;&#039;&#039;openssl dhparam 1024&#039;&#039;&#039; ;&lt;br /&gt;
* if the software used does not support custom DH parameters, like Apache HTTPd &amp;lt; 2.2.30, it is possible to keep using the 1024-bit DH Oakley group 2, knowing these clients may be at risk of a compromise;&lt;br /&gt;
* it is also possible to completely disable DHE. This means that clients not supporting ECDHE will be reverting to static RSA, giving up Forward Secrecy.&lt;br /&gt;
&lt;br /&gt;
The case of Java 7 is a bit different. Java 7 supports ECDHE ciphers, so if the server provides ECDHE and prioritizes it before DHE ciphers using server side ordering, then Java 7 will use ECDHE and not care about the size of the DHE parameter. In this situation, the server can use 2048 bits DHE parameters for all other clients.&lt;br /&gt;
&lt;br /&gt;
However, if the server does not support ECDHE, then Java 7 will use DHE and fail if the parameter is larger than 1024 bits. When failing, the handshake will not attempt to fall back to the next cipher in line, but simply fail with the error &amp;quot;java.lang.RuntimeException: Could not generate DH keypair&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Java supported !! ECDHE prioritized !! smallest DH parameter size&lt;br /&gt;
|-&lt;br /&gt;
|  6 || irrelevant || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || NO || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || YES || 2048&lt;br /&gt;
|-&lt;br /&gt;
|  8 || irrelevant || 2048&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= OCSP Stapling =&lt;br /&gt;
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.&lt;br /&gt;
&lt;br /&gt;
OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. In fact, the OCSP responders operated by CAs are often so unreliable that browser will fail silently if no response is received in a timely manner. This reduces security, by allowing an attacker to DoS an OCSP responder to disable the validation.&lt;br /&gt;
&lt;br /&gt;
The solution is to allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.&lt;br /&gt;
&lt;br /&gt;
The server will send a cached OCSP response only if the client requests it, by announcing support for the &#039;&#039;&#039;status_request&#039;&#039;&#039; TLS extension in its CLIENT HELLO.&lt;br /&gt;
&lt;br /&gt;
[[File:OCSP_Stapling.png]]&lt;br /&gt;
&lt;br /&gt;
Most servers will cache OCSP response for up to 48 hours. At regular intervals, the server will connect to the OCSP responder of the CA to retrieve a fresh OCSP record. The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate. For example, with StartSSL:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Authority Information Access:&lt;br /&gt;
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Support for OCSP Stapling can be tested using the &#039;&#039;&#039;-status&#039;&#039;&#039; option of the OpenSSL client.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
$ openssl s_client -connect monitor.mozillalabs.com:443 -status&lt;br /&gt;
...&lt;br /&gt;
======================================&lt;br /&gt;
OCSP Response Data:&lt;br /&gt;
    OCSP Response Status: successful (0x0)&lt;br /&gt;
    Response Type: Basic OCSP Response&lt;br /&gt;
    Version: 1 (0x0)&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Session Resumption =&lt;br /&gt;
&lt;br /&gt;
Session Resumption is the ability to reuse the session secrets previously negotiated between a client and a server for a new TLS connection. This feature greatly increases the speed establishment of TLS connections after the first handshake, and is very useful for connections that use Perfect Forward Secrecy with a slow handshake like DHE.&lt;br /&gt;
&lt;br /&gt;
Session Resumption can be performed using one of two methods:&lt;br /&gt;
&lt;br /&gt;
# session identifier: When establishing a first session, the server generates an arbitrary session ID sent to the client. On subsequent connections, the client sends the session ID in the CLIENT HELLO message, indicating to the server it wants to reuse an existing state. If the server can find a corresponding state in its local cache, it reuse the session secrets and skips directly to exchanging encrypted data with the client. If the cache stored on the server is compromised, session keys from the cache can be used to decrypt past and future sessions.&lt;br /&gt;
# session tickets: Storing a cache on the server might be problematic for systems that handle very large numbers of clients. Session tickets provide an alternative where the server sends the encrypted state (ticket) to the client instead of storing it in its local cache. The client can send back the encrypted state to the server in subsequent connections, thus allowing session resumption. This method requires symmetric keys on the server to encrypt and decrypt session tickets. If the keys are compromised, an attacker obtains access to session keys and can decrypt past and future sessions.&lt;br /&gt;
&lt;br /&gt;
Session resumption is a very useful performance feature of TLS, but also carries a significant amount of risk. Most servers do not purge sessions or ticket keys, thus increasing the risk that a server compromise would leak data from previous (and future) connections.&lt;br /&gt;
&lt;br /&gt;
The current recommendation for web servers is to enable session resumption and benefit from the performance improvement, but to restart servers daily when possible. This ensure that sessions get purged and ticket keys get renewed on a regular basis.&lt;br /&gt;
&lt;br /&gt;
= HSTS: HTTP Strict Transport Security =&lt;br /&gt;
&lt;br /&gt;
[https://tools.ietf.org/html/rfc6797 HSTS] is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.&lt;br /&gt;
&lt;br /&gt;
The header format is very simple, composed only of a &#039;&#039;&#039;max-age&#039;&#039;&#039; parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15768000 seconds, or 6 months.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=15768000&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HSTS is becoming more and more of a standard, but should only be used when the site&#039;s operators are confident that HTTPS will be available continuously for the duration of max-age. Once the HSTS header is sent to client, HTTPS cannot be disabled on the site until the last client has expired its HSTS record.&lt;br /&gt;
&lt;br /&gt;
= HPKP: Public Key Pinning Extension for HTTP =&lt;br /&gt;
&lt;br /&gt;
See [http://tools.ietf.org/html/rfc7469 RFC7469].&lt;br /&gt;
&lt;br /&gt;
HPKP is an &#039;&#039;&#039;experimental&#039;&#039;&#039; HTTP header sent by a server to a client, to indicate that some certificates related to the site should be pinned in the client. The client would thus refuse to establish a connection to the server if the pining does not comply.&lt;br /&gt;
&lt;br /&gt;
Due to its experimental nature, HPKP is currently &#039;&#039;&#039;not&#039;&#039;&#039; recommended on production sites. More informations can be found on the [https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page].&lt;br /&gt;
&lt;br /&gt;
= Certificates Switching =&lt;br /&gt;
&lt;br /&gt;
Certificates Switching is a technique by which a server provides a different X.509 certificate to a client based on specific selection criteria. This technique is used primarily to maintain backward compatibility with very old clients, such as Internet Explorer 6 on Windows XP SP2.&lt;br /&gt;
&lt;br /&gt;
On XPSP2, IE6 is only able to establish connections to servers that provide a certificate signed with sha1WithRSAEncryption. Those certificates are not issued by modern CAs anymore, and all sites have been encouraged to upgrade to SHA-256 certificates. As modern browsers gradually block connections backed by SHA-1 certificates, sites that need to maintain compatibility with XPSP2 must implement certificates switching to provide a SHA-1 cert to old clients and a SHA-256 cert to modern ones.&lt;br /&gt;
&lt;br /&gt;
Certificate switching can be implemented in various ways. A simplistic approach is to select the certificate based on the protocol version (SHA-256 to TLS clients, SHA-1 to SSLv3 ones). A more sophisticated approach consists at looking inside the CLIENT HELLO for SHA-256 support in the &amp;quot;signature_algorithms&amp;quot; extension.&lt;br /&gt;
&lt;br /&gt;
Few servers currently support cert switching. It is possible to implement it using [https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SHA1/SHA256-certificate-switching-with-HAProxy HAProxy], and vendors like Cloudflare propose it in their offering.&lt;br /&gt;
&lt;br /&gt;
= Recommended Server Configurations =&lt;br /&gt;
&lt;br /&gt;
All configuration samples have been moved to the configuration generator and the [[Security/TLS_Configurations]] archive. Access the generator by clicking the image below:&lt;br /&gt;
&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
&lt;br /&gt;
= Tools =&lt;br /&gt;
== CipherScan ==&lt;br /&gt;
&lt;br /&gt;
See https://github.com/jvehent/cipherscan&lt;br /&gt;
&lt;br /&gt;
Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It&#039;s an easy way to test a web server for available ciphers, PFS key size, elliptic curves, support for OCSP Stapling, TLS ticket lifetime and certificate trust.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
$ ./cipherscan jve.linuxwall.info&lt;br /&gt;
..........................&lt;br /&gt;
prio  ciphersuite                  protocols              pfs_keysize&lt;br /&gt;
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,4096bits&lt;br /&gt;
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,4096bits&lt;br /&gt;
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
12    AES128-GCM-SHA256            TLSv1.2&lt;br /&gt;
13    AES256-GCM-SHA384            TLSv1.2&lt;br /&gt;
14    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
15    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
16    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
17    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
18    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
19    AES256-SHA256                TLSv1.2&lt;br /&gt;
20    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
21    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
22    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
23    AES128-SHA256                TLSv1.2&lt;br /&gt;
24    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
25    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
&lt;br /&gt;
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature&lt;br /&gt;
TLS ticket lifetime hint: 300&lt;br /&gt;
OCSP stapling: supported&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== SSL Labs (Qualys) ==&lt;br /&gt;
&lt;br /&gt;
Available here: https://www.ssllabs.com/ssltest/&lt;br /&gt;
&lt;br /&gt;
Qualys SSL Labs provides a comprehensive SSL testing suite.&lt;br /&gt;
&lt;br /&gt;
GlobalSign has a modified interface of SSL Labs that is interesting as well: https://sslcheck.globalsign.com/&lt;br /&gt;
&lt;br /&gt;
= Attacks on SSL and TLS =&lt;br /&gt;
== BEAST (CVE-2011-3389) ==&lt;br /&gt;
&lt;br /&gt;
Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a  MITM attacker to recover plaintext values by encrypting the same message multiple times.&lt;br /&gt;
&lt;br /&gt;
BEAST is mitigated in TLS1.1 and above.&lt;br /&gt;
&lt;br /&gt;
more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack&lt;br /&gt;
&lt;br /&gt;
== LUCKY13 ==&lt;br /&gt;
&lt;br /&gt;
Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.&lt;br /&gt;
&lt;br /&gt;
more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html&lt;br /&gt;
&lt;br /&gt;
== RC4 weaknesses ==&lt;br /&gt;
&lt;br /&gt;
As of February 2015, the IETF explicitely prohibits the use of RC4: [http://www.ietf.org/rfc/rfc7465.txt RFC 7465].&lt;br /&gt;
&lt;br /&gt;
It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large number of times, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to remove RC4 from the list of trusted ciphers.&lt;br /&gt;
&lt;br /&gt;
In a public discussion ([https://bugzilla.mozilla.org/show_bug.cgi?id=927045 bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.&lt;br /&gt;
 &lt;br /&gt;
While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing RC4 with 3DES is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.&lt;br /&gt;
&lt;br /&gt;
The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.&lt;br /&gt;
&lt;br /&gt;
more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls&lt;br /&gt;
&lt;br /&gt;
== BREACH ==&lt;br /&gt;
&lt;br /&gt;
This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).&lt;br /&gt;
&lt;br /&gt;
In order to be successful, it requires to:&lt;br /&gt;
&lt;br /&gt;
# Be served from a server that uses HTTP-level compression&lt;br /&gt;
# Reflect user-input in HTTP response bodies&lt;br /&gt;
# Reflect a secret (such as a CSRF token) in HTTP response bodies&lt;br /&gt;
&lt;br /&gt;
more: http://breachattack.com/&lt;br /&gt;
&lt;br /&gt;
== POODLE ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 CVE-2014-3566]) ==&lt;br /&gt;
&lt;br /&gt;
POODLE is an attack on the padding used by SSLv3. It is a significant improvement of the BEAST attack which led the cryptography community to recommend disabling SSLv3 globally.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
&#039;&#039;If you can arrange the message to be the correct length then the last block is 15 arbitrary bytes and the padding length (15). Then you arrange an interesting byte to be in the last position of a different block and duplicate that block to the end. If the record is accepted, then you know what the last byte contained because it decrypted to 15.&#039;&#039;&lt;br /&gt;
&#039;&#039;Thus the attacker needs to be able to control some of the plaintext in order to align things in the messages and needs to be able to burn lots of connections (256 per byte, roughly). Thus a secret needs to be repeated in connection after connection (i.e. a cookie).&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
source: Adam Langley in https://bugzilla.mozilla.org/show_bug.cgi?id=1076983#c29&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Daniel Stenberg (Mozilla, cUrl) has a good description of the exploitability of POODLE in http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/&lt;br /&gt;
&lt;br /&gt;
Our guidelines maintain support for SSLv3 in the Old configuration only. This is required for clients on Windows XP service pack 1 &amp;amp; 2 that do not have support for TLSv1.0. Internet Explorer and Chrome on those platforms are impacted. Mozilla wants to be reachable from very old clients, to allow them to download a better browser. Therefore, we maintain SSLv3 compatibility on a limited number of sites. But all sites that do not need that level of compatibility are encouraged to implement the Intermediate configuration&lt;br /&gt;
&lt;br /&gt;
== Logjam attack on weak Diffie-Hellman ==&lt;br /&gt;
&lt;br /&gt;
The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (&amp;lt;= 1024 bit) Diffie Hellman groups. Modern TLS must use DH parameters of 2048 bits and above, or only use ECDHE. The modern configuration in this guide provide configurations that are not impacted by this issue. The intermediate and old configurations are impacted, and administrators are encourage to use DH parameters of 2048 bits wherever possible.&lt;br /&gt;
&lt;br /&gt;
more: https://weakdh.org&lt;br /&gt;
&lt;br /&gt;
= SSL and TLS Settings =&lt;br /&gt;
== SPDY ==&lt;br /&gt;
&lt;br /&gt;
(see also http://en.wikipedia.org/wiki/SPDY and http://www.chromium.org/spdy/spdy-protocol)&lt;br /&gt;
&lt;br /&gt;
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.&lt;br /&gt;
&lt;br /&gt;
SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.&lt;br /&gt;
&lt;br /&gt;
== TLS tickets (RFC 5077) ==&lt;br /&gt;
&lt;br /&gt;
Once a TLS handshake has been negotiated between the server and the client, both may exchange a session ticket, which contains the session and is usually encrypted with AES-CBC 128bit. This AES key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it&#039;s stored in a file and also kept upon restarts).&lt;br /&gt;
&lt;br /&gt;
The key that encrypts TLS tickets in servers is very hard to manage and potentially introduces a security risk if not renewed regularly: if a server is breached, the key can be stolen and used to decrypt recorded TLS tickets, thus leaking session keys. TLS tickets do bring a performance benefit because of session resumption, but administrators that are more concerned about security than performance may want to disable them entirely. The trade-off we recommend is to implement restarts of web servers and force deletion of local caches to renew encryption keys.&lt;br /&gt;
&lt;br /&gt;
more information: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf&lt;br /&gt;
&lt;br /&gt;
= Cipher suites =&lt;br /&gt;
&lt;br /&gt;
Different libraries support different cipher suites and refer to them by different names. Mozilla maintains a list of [[Security/Cipher Suites|all known cipher suites]] and their corresponding names.&lt;br /&gt;
&lt;br /&gt;
== GnuTLS ciphersuite ==&lt;br /&gt;
&lt;br /&gt;
Unlike OpenSSL, GnuTLS will panic if you give it ciphers aren&#039;t supported by the library. That makes it very difficult to share a default ciphersuite to use in GnuTLS. The next best thing is using the following ciphersuite, and removing the components that break on your own version:&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
A ciphersuite can be tested in GnuTLS using &#039;&#039;&#039;gnutls-cli&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --version&lt;br /&gt;
gnutls-cli 3.1.26&lt;br /&gt;
&lt;br /&gt;
$ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
Cipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_GCM_SHA256                    0xc0, 0x2f  TLS1.2&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA256                    0xc0, 0x27  TLS1.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA1                      0xc0, 0x13  SSL3.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_256_CBC_SHA1                      0xc0, 0x14  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_GCM_SHA256                      0x00, 0x9e  TLS1.2&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA256                      0x00, 0x67  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA1                        0x00, 0x33  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA256                      0x00, 0x6b  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA1                        0x00, 0x39  SSL3.0&lt;br /&gt;
TLS_RSA_AES_128_GCM_SHA256                          0x00, 0x9c  TLS1.2&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.0&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0&lt;br /&gt;
&lt;br /&gt;
Certificate types: none&lt;br /&gt;
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0&lt;br /&gt;
Compression: COMP-NULL&lt;br /&gt;
Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1&lt;br /&gt;
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-SHA224, SIGN-RSA-SHA1, SIGN-DSA-SHA256, SIGN-DSA-SHA224, SIGN-DSA-SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A good way to debug the ciphersuite is by performing a test connection. If the ciphersuite isn&#039;t supported, gnutls-cli will stop reading it at the component that is causing the issue.&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --debug 9999 google.com --priority &#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&lt;br /&gt;
|&amp;lt;2&amp;gt;| ASSERT: gnutls_priority.c:812&lt;br /&gt;
Syntax error at: +SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
In the example above, the component SIGN-RSA-SHA224 is not supported by this version of gnutls and should be removed from the ciphersuite.&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Archive/Server_Side_TLS_4.0&amp;diff=1214183</id>
		<title>Security/Archive/Server Side TLS 4.0</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Archive/Server_Side_TLS_4.0&amp;diff=1214183"/>
		<updated>2019-06-25T19:31:30Z</updated>

		<summary type="html">&lt;p&gt;Apking: Archive of Server Side TLS 4.0&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; padding-left: 1em;&amp;quot;&amp;gt;Please note that this document is deprecated, and administrators should use the [[Security/Server Side TLS|maintained version of these guidelines]].&lt;br /&gt;
&lt;br /&gt;
The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls source repository on github].&lt;br /&gt;
&lt;br /&gt;
If you are looking for the configuration generator, click the image below:&amp;lt;br /&amp;gt;&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|500px|center|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
Three configurations are recommended. Pick the right configuration depending on your audience. If you do not need backward compatibility, and are building a service for modern clients only (post Firefox 27/Chrome 22), then use the Modern configuration. Otherwise, prefer the Intermediate configuration. Use the Old backward compatible configuration only if your service will be accessed by very old clients, such as Windows XP IE6, or ancient libraries &amp;amp; bots.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration !! Oldest compatible client&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Windows XP IE6, Java 6&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL. If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite and let OpenSSL pick the ones it supports.&lt;br /&gt;
&lt;br /&gt;
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. Each level shows the list of algorithms returned by its ciphersuite. If you have to pick ciphers manually for your application, make sure you keep the ordering.&lt;br /&gt;
&lt;br /&gt;
The ciphersuite numbers listed come from the IANA [https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 TLS Cipher Suite Registry]. Previous versions of these recommendations included draft numbers for ECDHE-ECDSA-CHACHA20-POLY1305 (0xCC,0x14) and ECDHE-RSA-CHACHA20-POLY1305 (0xCC,0x13).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services that don&#039;t need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039; (if not ecdsa)&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;None&#039;&#039;&#039; (disabled entirely)&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES. &lt;br /&gt;
* We recommend ECDSA certificates with P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.&lt;br /&gt;
* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.&lt;br /&gt;
* SHA1 signature algorithm is removed in favor of SHA384 for AES256 and SHA256 for AES128.&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (default) ==&lt;br /&gt;
For services that don&#039;t need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA       SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA         SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA           SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* ChaCha20 is prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.&lt;br /&gt;
* DES-CBC3-SHA and EDH-RSA-DES-CBC3-SHA are maintained for backward compatibility with clients that do not support AES.&lt;br /&gt;
* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1, SSLv3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;sha1WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x40  -  DHE-DSS-AES128-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x38  -  DHE-DSS-AES256-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x6A  -  DHE-DSS-AES256-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x32  -  DHE-DSS-AES128-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                    SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9A  -  DHE-RSA-SEED-SHA                SSLv3    Kx=DH    Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0x00,0x99  -  DHE-DSS-SEED-SHA                SSLv3    Kx=DH    Au=DSS    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0xCC,0x15  -  DHE-RSA-CHACHA20-POLY1305       TLSv1.2  Kx=DH    Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x77  -  ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0xC0,0x73  -  ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0x00,0xC4  -  DHE-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0xC3  -  DHE-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0xC0  -  CAMELLIA256-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x84  -  CAMELLIA256-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0xC0,0x76  -  ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0xC0,0x72  -  ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBE  -  DHE-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBD  -  DHE-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0xBA  -  CAMELLIA128-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x41  -  CAMELLIA128-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x96  -  SEED-SHA                        SSLv3    Kx=RSA   Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.&lt;br /&gt;
* SSLv3 is enabled to support WinXP SP2 clients on IE.&lt;br /&gt;
* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients, and SHA256 certs to all others. More information in the &amp;quot;Certificates Switching&amp;quot; section later in this document.&lt;br /&gt;
* Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
You can find the recommendations above in JSON format at the address [https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json].&lt;br /&gt;
&lt;br /&gt;
This location is permanent and can be referenced in scripts and tools. The file is versioned and will not change, to avoid breaking tools when we update the recommendations.&lt;br /&gt;
&lt;br /&gt;
If you wish to point to the latest version of the recommendations, use this address: [[https://statics.tls.security.mozilla.org/server-side-tls-conf.json https://statics.tls.security.mozilla.org/server-side-tls-conf.json].&lt;br /&gt;
Be advised the above will always point to the latest version and &#039;&#039;&#039;will not provide backward compatibility&#039;&#039;&#039;.&lt;br /&gt;
If you use it to automatically configure your servers without review, it may break things. Prefer the version-specific files instead.&lt;br /&gt;
&lt;br /&gt;
== Previous versions ==&lt;br /&gt;
&lt;br /&gt;
* None&lt;br /&gt;
&lt;br /&gt;
= Mandatory discards =&lt;br /&gt;
&lt;br /&gt;
* aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks&lt;br /&gt;
* eNULL contains null-encryption ciphers (cleartext)&lt;br /&gt;
* EXPORT are legacy weak ciphers that were marked as exportable by US law&lt;br /&gt;
* RC4 contains ciphers that use the deprecated ARCFOUR algorithm&lt;br /&gt;
* DES contains ciphers that use the deprecated Data Encryption Standard&lt;br /&gt;
* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated&lt;br /&gt;
* MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm&lt;br /&gt;
&lt;br /&gt;
= Forward Secrecy =&lt;br /&gt;
&lt;br /&gt;
The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.&lt;br /&gt;
&lt;br /&gt;
With Forward Secrecy, if an attacker gets a hold of the server&#039;s private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.&lt;br /&gt;
&lt;br /&gt;
== DHE handshake and dhparam ==&lt;br /&gt;
&lt;br /&gt;
When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.&lt;br /&gt;
&lt;br /&gt;
As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:&lt;br /&gt;
[[File:Dhe_params.png|frame|server key exchange message as displayed in Wireshark]]&lt;br /&gt;
[[File:Dhe_client_params.png|frame|client key exchange message as displayed in Wireshark]]&lt;br /&gt;
# Server sends Client a [http://tools.ietf.org/html/rfc5246#section-7.4.3 SERVER KEY EXCHANGE] message during the SSL Handshake. The message contains:&lt;br /&gt;
## Prime number &#039;&#039;p&#039;&#039;&lt;br /&gt;
## Generator &#039;&#039;g&#039;&#039;&lt;br /&gt;
## Server&#039;s Diffie-Hellman public value &#039;&#039;A = g^X mod p&#039;&#039;, where &#039;&#039;X&#039;&#039; is a private integer chosen by the server at random, and never shared with the client. (note: A is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
## signature &#039;&#039;S&#039;&#039; of the above (plus two random values) computed using the Server&#039;s private RSA key&lt;br /&gt;
# Client verifies the signature &#039;&#039;S&#039;&#039;&lt;br /&gt;
# Client sends server a [http://tools.ietf.org/html/rfc5246#section-7.4.7 CLIENT KEY EXCHANGE] message. The message contains:&lt;br /&gt;
## Client&#039;s Diffie-Hellman public value &#039;&#039;B = g^Y mod p&#039;&#039;, where &#039;&#039;Y&#039;&#039; is a private integer chosen at random and never shared. (note: B is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
# The Server and the Client can now calculate the pre-master secret using each other&#039;s public values:&lt;br /&gt;
## server calculates &#039;&#039;PMS = B^X mod p&#039;&#039;&lt;br /&gt;
## client calculates &#039;&#039;PMS = A^Y mod p&#039;&#039;&lt;br /&gt;
# Client sends a [http://tools.ietf.org/html/rfc5246#section-7.1 CHANGE CIPHER SPEC] message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES&lt;br /&gt;
&lt;br /&gt;
The size of the prime number &#039;&#039;p&#039;&#039; constrains the size of the pre-master key &#039;&#039;PMS&#039;&#039;, because of the modulo operation. A smaller prime almost means weaker values of &#039;&#039;A&#039;&#039; and &#039;&#039;B&#039;&#039;, which could leak the secret values &#039;&#039;X&#039;&#039; and &#039;&#039;Y&#039;&#039;. Thus, the prime &#039;&#039;p&#039;&#039; should not be smaller than the size of the RSA private key.&lt;br /&gt;
&lt;br /&gt;
== Pre-defined DHE groups ==&lt;br /&gt;
&lt;br /&gt;
Instead of using pre-configured DH groups, or generating their own with &amp;quot;openssl dhparam&amp;quot;, operators should use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919].  These groups are audited and may be more resistant to attacks than ones randomly generated.&lt;br /&gt;
&lt;br /&gt;
Note: if you must support old Java clients, Dh groups larger than 1024 bits may block connectivity (see [[#DHE_and_Java]]).&lt;br /&gt;
&lt;br /&gt;
=== ffdhe2048 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe3072 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu&lt;br /&gt;
N///////////AgEC&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe4096 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e&lt;br /&gt;
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx&lt;br /&gt;
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K&lt;br /&gt;
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== DHE and ECDHE support ==&lt;br /&gt;
Most modern clients that support both ECDHE and DHE typically prefer the former, because ECDHE provides faster handshakes than DHE ([http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html]).&lt;br /&gt;
&lt;br /&gt;
Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:&lt;br /&gt;
* Android &amp;lt; 3.0.0&lt;br /&gt;
* Java &amp;lt; 7&lt;br /&gt;
* OpenSSL &amp;lt; 1.0.0&lt;br /&gt;
&lt;br /&gt;
Note that schannel on Windows XP technically support DHE, but only with DSA keys, making it unusable on the internet in practice.&lt;br /&gt;
&lt;br /&gt;
== DHE and Java ==&lt;br /&gt;
Java 6 and 7 do not support Diffie-Hellman parameters larger than 1024 bits. If your server expects to receive connections from java 6 clients and wants to enable PFS, it must provide a DHE parameter of 1024 bits.&lt;br /&gt;
&lt;br /&gt;
If keeping the compatibility with Java &amp;lt; 7 is a necessity, thus preventing the use of large DH keys, three solutions are available:&lt;br /&gt;
* using custom 1024-bit DH parameters, different from Oakley group 2, preferably generated with &#039;&#039;&#039;openssl dhparam 1024&#039;&#039;&#039; ;&lt;br /&gt;
* if the software used does not support custom DH parameters, like Apache HTTPd &amp;lt; 2.2.30, it is possible to keep using the 1024-bit DH Oakley group 2, knowing these clients may be at risk of a compromise;&lt;br /&gt;
* it is also possible to completely disable DHE. This means that clients not supporting ECDHE will be reverting to static RSA, giving up Forward Secrecy.&lt;br /&gt;
&lt;br /&gt;
The case of Java 7 is a bit different. Java 7 supports ECDHE ciphers, so if the server provides ECDHE and prioritizes it before DHE ciphers using server side ordering, then Java 7 will use ECDHE and not care about the size of the DHE parameter. In this situation, the server can use 2048 bits DHE parameters for all other clients.&lt;br /&gt;
&lt;br /&gt;
However, if the server does not support ECDHE, then Java 7 will use DHE and fail if the parameter is larger than 1024 bits. When failing, the handshake will not attempt to fall back to the next cipher in line, but simply fail with the error &amp;quot;java.lang.RuntimeException: Could not generate DH keypair&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Java supported !! ECDHE prioritized !! smallest DH parameter size&lt;br /&gt;
|-&lt;br /&gt;
|  6 || irrelevant || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || NO || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || YES || 2048&lt;br /&gt;
|-&lt;br /&gt;
|  8 || irrelevant || 2048&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= OCSP Stapling =&lt;br /&gt;
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.&lt;br /&gt;
&lt;br /&gt;
OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. In fact, the OCSP responders operated by CAs are often so unreliable that browser will fail silently if no response is received in a timely manner. This reduces security, by allowing an attacker to DoS an OCSP responder to disable the validation.&lt;br /&gt;
&lt;br /&gt;
The solution is to allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.&lt;br /&gt;
&lt;br /&gt;
The server will send a cached OCSP response only if the client requests it, by announcing support for the &#039;&#039;&#039;status_request&#039;&#039;&#039; TLS extension in its CLIENT HELLO.&lt;br /&gt;
&lt;br /&gt;
[[File:OCSP_Stapling.png]]&lt;br /&gt;
&lt;br /&gt;
Most servers will cache OCSP response for up to 48 hours. At regular intervals, the server will connect to the OCSP responder of the CA to retrieve a fresh OCSP record. The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate. For example, with StartSSL:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Authority Information Access:&lt;br /&gt;
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Support for OCSP Stapling can be tested using the &#039;&#039;&#039;-status&#039;&#039;&#039; option of the OpenSSL client.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
$ openssl s_client -connect monitor.mozillalabs.com:443 -status&lt;br /&gt;
...&lt;br /&gt;
======================================&lt;br /&gt;
OCSP Response Data:&lt;br /&gt;
    OCSP Response Status: successful (0x0)&lt;br /&gt;
    Response Type: Basic OCSP Response&lt;br /&gt;
    Version: 1 (0x0)&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Session Resumption =&lt;br /&gt;
&lt;br /&gt;
Session Resumption is the ability to reuse the session secrets previously negotiated between a client and a server for a new TLS connection. This feature greatly increases the speed establishment of TLS connections after the first handshake, and is very useful for connections that use Perfect Forward Secrecy with a slow handshake like DHE.&lt;br /&gt;
&lt;br /&gt;
Session Resumption can be performed using one of two methods:&lt;br /&gt;
&lt;br /&gt;
# session identifier: When establishing a first session, the server generates an arbitrary session ID sent to the client. On subsequent connections, the client sends the session ID in the CLIENT HELLO message, indicating to the server it wants to reuse an existing state. If the server can find a corresponding state in its local cache, it reuse the session secrets and skips directly to exchanging encrypted data with the client. If the cache stored on the server is compromised, session keys from the cache can be used to decrypt past and future sessions.&lt;br /&gt;
# session tickets: Storing a cache on the server might be problematic for systems that handle very large numbers of clients. Session tickets provide an alternative where the server sends the encrypted state (ticket) to the client instead of storing it in its local cache. The client can send back the encrypted state to the server in subsequent connections, thus allowing session resumption. This method requires symmetric keys on the server to encrypt and decrypt session tickets. If the keys are compromised, an attacker obtains access to session keys and can decrypt past and future sessions.&lt;br /&gt;
&lt;br /&gt;
Session resumption is a very useful performance feature of TLS, but also carries a significant amount of risk. Most servers do not purge sessions or ticket keys, thus increasing the risk that a server compromise would leak data from previous (and future) connections.&lt;br /&gt;
&lt;br /&gt;
The current recommendation for web servers is to enable session resumption and benefit from the performance improvement, but to restart servers daily when possible. This ensure that sessions get purged and ticket keys get renewed on a regular basis.&lt;br /&gt;
&lt;br /&gt;
= HSTS: HTTP Strict Transport Security =&lt;br /&gt;
&lt;br /&gt;
[https://tools.ietf.org/html/rfc6797 HSTS] is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.&lt;br /&gt;
&lt;br /&gt;
The header format is very simple, composed only of a &#039;&#039;&#039;max-age&#039;&#039;&#039; parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15768000 seconds, or 6 months.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=15768000&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HSTS is becoming more and more of a standard, but should only be used when the site&#039;s operators are confident that HTTPS will be available continuously for the duration of max-age. Once the HSTS header is sent to client, HTTPS cannot be disabled on the site until the last client has expired its HSTS record.&lt;br /&gt;
&lt;br /&gt;
= HPKP: Public Key Pinning Extension for HTTP =&lt;br /&gt;
&lt;br /&gt;
See [http://tools.ietf.org/html/rfc7469 RFC7469].&lt;br /&gt;
&lt;br /&gt;
HPKP is an &#039;&#039;&#039;experimental&#039;&#039;&#039; HTTP header sent by a server to a client, to indicate that some certificates related to the site should be pinned in the client. The client would thus refuse to establish a connection to the server if the pining does not comply.&lt;br /&gt;
&lt;br /&gt;
Due to its experimental nature, HPKP is currently &#039;&#039;&#039;not&#039;&#039;&#039; recommended on production sites. More informations can be found on the [https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page].&lt;br /&gt;
&lt;br /&gt;
= Certificates Switching =&lt;br /&gt;
&lt;br /&gt;
Certificates Switching is a technique by which a server provides a different X.509 certificate to a client based on specific selection criteria. This technique is used primarily to maintain backward compatibility with very old clients, such as Internet Explorer 6 on Windows XP SP2.&lt;br /&gt;
&lt;br /&gt;
On XPSP2, IE6 is only able to establish connections to servers that provide a certificate signed with sha1WithRSAEncryption. Those certificates are not issued by modern CAs anymore, and all sites have been encouraged to upgrade to SHA-256 certificates. As modern browsers gradually block connections backed by SHA-1 certificates, sites that need to maintain compatibility with XPSP2 must implement certificates switching to provide a SHA-1 cert to old clients and a SHA-256 cert to modern ones.&lt;br /&gt;
&lt;br /&gt;
Certificate switching can be implemented in various ways. A simplistic approach is to select the certificate based on the protocol version (SHA-256 to TLS clients, SHA-1 to SSLv3 ones). A more sophisticated approach consists at looking inside the CLIENT HELLO for SHA-256 support in the &amp;quot;signature_algorithms&amp;quot; extension.&lt;br /&gt;
&lt;br /&gt;
Few servers currently support cert switching. It is possible to implement it using [https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SHA1/SHA256-certificate-switching-with-HAProxy HAProxy], and vendors like Cloudflare propose it in their offering.&lt;br /&gt;
&lt;br /&gt;
= Recommended Server Configurations =&lt;br /&gt;
&lt;br /&gt;
All configuration samples have been moved to the configuration generator and the [[Security/TLS_Configurations]] archive. Access the generator by clicking the image below:&lt;br /&gt;
&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
&lt;br /&gt;
= Tools =&lt;br /&gt;
== CipherScan ==&lt;br /&gt;
&lt;br /&gt;
See https://github.com/jvehent/cipherscan&lt;br /&gt;
&lt;br /&gt;
Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It&#039;s an easy way to test a web server for available ciphers, PFS key size, elliptic curves, support for OCSP Stapling, TLS ticket lifetime and certificate trust.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
$ ./cipherscan jve.linuxwall.info&lt;br /&gt;
..........................&lt;br /&gt;
prio  ciphersuite                  protocols              pfs_keysize&lt;br /&gt;
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,4096bits&lt;br /&gt;
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,4096bits&lt;br /&gt;
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
12    AES128-GCM-SHA256            TLSv1.2&lt;br /&gt;
13    AES256-GCM-SHA384            TLSv1.2&lt;br /&gt;
14    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
15    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
16    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
17    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
18    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
19    AES256-SHA256                TLSv1.2&lt;br /&gt;
20    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
21    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
22    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
23    AES128-SHA256                TLSv1.2&lt;br /&gt;
24    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
25    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
&lt;br /&gt;
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature&lt;br /&gt;
TLS ticket lifetime hint: 300&lt;br /&gt;
OCSP stapling: supported&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== SSL Labs (Qualys) ==&lt;br /&gt;
&lt;br /&gt;
Available here: https://www.ssllabs.com/ssltest/&lt;br /&gt;
&lt;br /&gt;
Qualys SSL Labs provides a comprehensive SSL testing suite.&lt;br /&gt;
&lt;br /&gt;
GlobalSign has a modified interface of SSL Labs that is interesting as well: https://sslcheck.globalsign.com/&lt;br /&gt;
&lt;br /&gt;
= Attacks on SSL and TLS =&lt;br /&gt;
== BEAST (CVE-2011-3389) ==&lt;br /&gt;
&lt;br /&gt;
Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a  MITM attacker to recover plaintext values by encrypting the same message multiple times.&lt;br /&gt;
&lt;br /&gt;
BEAST is mitigated in TLS1.1 and above.&lt;br /&gt;
&lt;br /&gt;
more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack&lt;br /&gt;
&lt;br /&gt;
== LUCKY13 ==&lt;br /&gt;
&lt;br /&gt;
Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.&lt;br /&gt;
&lt;br /&gt;
more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html&lt;br /&gt;
&lt;br /&gt;
== RC4 weaknesses ==&lt;br /&gt;
&lt;br /&gt;
As of February 2015, the IETF explicitely prohibits the use of RC4: [http://www.ietf.org/rfc/rfc7465.txt RFC 7465].&lt;br /&gt;
&lt;br /&gt;
It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large number of times, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to remove RC4 from the list of trusted ciphers.&lt;br /&gt;
&lt;br /&gt;
In a public discussion ([https://bugzilla.mozilla.org/show_bug.cgi?id=927045 bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.&lt;br /&gt;
 &lt;br /&gt;
While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing RC4 with 3DES is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.&lt;br /&gt;
&lt;br /&gt;
The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.&lt;br /&gt;
&lt;br /&gt;
more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls&lt;br /&gt;
&lt;br /&gt;
== BREACH ==&lt;br /&gt;
&lt;br /&gt;
This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).&lt;br /&gt;
&lt;br /&gt;
In order to be successful, it requires to:&lt;br /&gt;
&lt;br /&gt;
# Be served from a server that uses HTTP-level compression&lt;br /&gt;
# Reflect user-input in HTTP response bodies&lt;br /&gt;
# Reflect a secret (such as a CSRF token) in HTTP response bodies&lt;br /&gt;
&lt;br /&gt;
more: http://breachattack.com/&lt;br /&gt;
&lt;br /&gt;
== POODLE ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 CVE-2014-3566]) ==&lt;br /&gt;
&lt;br /&gt;
POODLE is an attack on the padding used by SSLv3. It is a significant improvement of the BEAST attack which led the cryptography community to recommend disabling SSLv3 globally.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
&#039;&#039;If you can arrange the message to be the correct length then the last block is 15 arbitrary bytes and the padding length (15). Then you arrange an interesting byte to be in the last position of a different block and duplicate that block to the end. If the record is accepted, then you know what the last byte contained because it decrypted to 15.&#039;&#039;&lt;br /&gt;
&#039;&#039;Thus the attacker needs to be able to control some of the plaintext in order to align things in the messages and needs to be able to burn lots of connections (256 per byte, roughly). Thus a secret needs to be repeated in connection after connection (i.e. a cookie).&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
source: Adam Langley in https://bugzilla.mozilla.org/show_bug.cgi?id=1076983#c29&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Daniel Stenberg (Mozilla, cUrl) has a good description of the exploitability of POODLE in http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/&lt;br /&gt;
&lt;br /&gt;
Our guidelines maintain support for SSLv3 in the Old configuration only. This is required for clients on Windows XP service pack 1 &amp;amp; 2 that do not have support for TLSv1.0. Internet Explorer and Chrome on those platforms are impacted. Mozilla wants to be reachable from very old clients, to allow them to download a better browser. Therefore, we maintain SSLv3 compatibility on a limited number of sites. But all sites that do not need that level of compatibility are encouraged to implement the Intermediate configuration&lt;br /&gt;
&lt;br /&gt;
== Logjam attack on weak Diffie-Hellman ==&lt;br /&gt;
&lt;br /&gt;
The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (&amp;lt;= 1024 bit) Diffie Hellman groups. Modern TLS must use DH parameters of 2048 bits and above, or only use ECDHE. The modern configuration in this guide provide configurations that are not impacted by this issue. The intermediate and old configurations are impacted, and administrators are encourage to use DH parameters of 2048 bits wherever possible.&lt;br /&gt;
&lt;br /&gt;
more: https://weakdh.org&lt;br /&gt;
&lt;br /&gt;
= SSL and TLS Settings =&lt;br /&gt;
== SPDY ==&lt;br /&gt;
&lt;br /&gt;
(see also http://en.wikipedia.org/wiki/SPDY and http://www.chromium.org/spdy/spdy-protocol)&lt;br /&gt;
&lt;br /&gt;
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.&lt;br /&gt;
&lt;br /&gt;
SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.&lt;br /&gt;
&lt;br /&gt;
== TLS tickets (RFC 5077) ==&lt;br /&gt;
&lt;br /&gt;
Once a TLS handshake has been negotiated between the server and the client, both may exchange a session ticket, which contains the session and is usually encrypted with AES-CBC 128bit. This AES key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it&#039;s stored in a file and also kept upon restarts).&lt;br /&gt;
&lt;br /&gt;
The key that encrypts TLS tickets in servers is very hard to manage and potentially introduces a security risk if not renewed regularly: if a server is breached, the key can be stolen and used to decrypt recorded TLS tickets, thus leaking session keys. TLS tickets do bring a performance benefit because of session resumption, but administrators that are more concerned about security than performance may want to disable them entirely. The trade-off we recommend is to implement restarts of web servers and force deletion of local caches to renew encryption keys.&lt;br /&gt;
&lt;br /&gt;
more information: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf&lt;br /&gt;
&lt;br /&gt;
= Cipher suites =&lt;br /&gt;
&lt;br /&gt;
Different libraries support different cipher suites and refer to them by different names. Mozilla maintains a list of [[Security/Cipher Suites|all known cipher suites]] and their corresponding names.&lt;br /&gt;
&lt;br /&gt;
== GnuTLS ciphersuite ==&lt;br /&gt;
&lt;br /&gt;
Unlike OpenSSL, GnuTLS will panic if you give it ciphers aren&#039;t supported by the library. That makes it very difficult to share a default ciphersuite to use in GnuTLS. The next best thing is using the following ciphersuite, and removing the components that break on your own version:&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
A ciphersuite can be tested in GnuTLS using &#039;&#039;&#039;gnutls-cli&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --version&lt;br /&gt;
gnutls-cli 3.1.26&lt;br /&gt;
&lt;br /&gt;
$ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
Cipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_GCM_SHA256                    0xc0, 0x2f  TLS1.2&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA256                    0xc0, 0x27  TLS1.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA1                      0xc0, 0x13  SSL3.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_256_CBC_SHA1                      0xc0, 0x14  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_GCM_SHA256                      0x00, 0x9e  TLS1.2&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA256                      0x00, 0x67  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA1                        0x00, 0x33  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA256                      0x00, 0x6b  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA1                        0x00, 0x39  SSL3.0&lt;br /&gt;
TLS_RSA_AES_128_GCM_SHA256                          0x00, 0x9c  TLS1.2&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.0&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0&lt;br /&gt;
&lt;br /&gt;
Certificate types: none&lt;br /&gt;
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0&lt;br /&gt;
Compression: COMP-NULL&lt;br /&gt;
Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1&lt;br /&gt;
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-SHA224, SIGN-RSA-SHA1, SIGN-DSA-SHA256, SIGN-DSA-SHA224, SIGN-DSA-SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A good way to debug the ciphersuite is by performing a test connection. If the ciphersuite isn&#039;t supported, gnutls-cli will stop reading it at the component that is causing the issue.&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --debug 9999 google.com --priority &#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&lt;br /&gt;
|&amp;lt;2&amp;gt;| ASSERT: gnutls_priority.c:812&lt;br /&gt;
Syntax error at: +SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
In the example above, the component SIGN-RSA-SHA224 is not supported by this version of gnutls and should be removed from the ciphersuite.&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1212843</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1212843"/>
		<updated>2019-05-24T22:26:19Z</updated>

		<summary type="html">&lt;p&gt;Apking: Move cipher suite table elsewhere&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; padding-left: 1em;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls source repository on github].&lt;br /&gt;
&lt;br /&gt;
If you are looking for the configuration generator, click the image below:&amp;lt;br /&amp;gt;&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|500px|center|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
Three configurations are recommended. Pick the right configuration depending on your audience. If you do not need backward compatibility, and are building a service for modern clients only (post Firefox 27/Chrome 22), then use the Modern configuration. Otherwise, prefer the Intermediate configuration. Use the Old backward compatible configuration only if your service will be accessed by very old clients, such as Windows XP IE6, or ancient libraries &amp;amp; bots.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration !! Oldest compatible client&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Windows XP IE6, Java 6&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL. If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite and let OpenSSL pick the ones it supports.&lt;br /&gt;
&lt;br /&gt;
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. Each level shows the list of algorithms returned by its ciphersuite. If you have to pick ciphers manually for your application, make sure you keep the ordering.&lt;br /&gt;
&lt;br /&gt;
The ciphersuite numbers listed come from the IANA [https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 TLS Cipher Suite Registry]. Previous versions of these recommendations included draft numbers for ECDHE-ECDSA-CHACHA20-POLY1305 (0xCC,0x14) and ECDHE-RSA-CHACHA20-POLY1305 (0xCC,0x13).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services that don&#039;t need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039; (if not ecdsa)&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;None&#039;&#039;&#039; (disabled entirely)&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES. &lt;br /&gt;
* We recommend ECDSA certificates with P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.&lt;br /&gt;
* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.&lt;br /&gt;
* SHA1 signature algorithm is removed in favor of SHA384 for AES256 and SHA256 for AES128.&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (default) ==&lt;br /&gt;
For services that don&#039;t need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA       SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA         SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA           SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* ChaCha20 is prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.&lt;br /&gt;
* DES-CBC3-SHA and EDH-RSA-DES-CBC3-SHA are maintained for backward compatibility with clients that do not support AES.&lt;br /&gt;
* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1, SSLv3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;sha1WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0xA9  -  ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0xA8  -  ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x40  -  DHE-DSS-AES128-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x38  -  DHE-DSS-AES256-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x6A  -  DHE-DSS-AES256-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x32  -  DHE-DSS-AES128-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                    SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9A  -  DHE-RSA-SEED-SHA                SSLv3    Kx=DH    Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0x00,0x99  -  DHE-DSS-SEED-SHA                SSLv3    Kx=DH    Au=DSS    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0xCC,0x15  -  DHE-RSA-CHACHA20-POLY1305       TLSv1.2  Kx=DH    Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x77  -  ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0xC0,0x73  -  ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0x00,0xC4  -  DHE-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0xC3  -  DHE-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0xC0  -  CAMELLIA256-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x84  -  CAMELLIA256-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0xC0,0x76  -  ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0xC0,0x72  -  ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBE  -  DHE-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBD  -  DHE-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0xBA  -  CAMELLIA128-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x41  -  CAMELLIA128-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x96  -  SEED-SHA                        SSLv3    Kx=RSA   Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.&lt;br /&gt;
* SSLv3 is enabled to support WinXP SP2 clients on IE.&lt;br /&gt;
* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients, and SHA256 certs to all others. More information in the &amp;quot;Certificates Switching&amp;quot; section later in this document.&lt;br /&gt;
* Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
You can find the recommendations above in JSON format at the address [https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json].&lt;br /&gt;
&lt;br /&gt;
This location is permanent and can be referenced in scripts and tools. The file is versioned and will not change, to avoid breaking tools when we update the recommendations.&lt;br /&gt;
&lt;br /&gt;
If you wish to point to the latest version of the recommendations, use this address: [[https://statics.tls.security.mozilla.org/server-side-tls-conf.json https://statics.tls.security.mozilla.org/server-side-tls-conf.json].&lt;br /&gt;
Be advised the above will always point to the latest version and &#039;&#039;&#039;will not provide backward compatibility&#039;&#039;&#039;.&lt;br /&gt;
If you use it to automatically configure your servers without review, it may break things. Prefer the version-specific files instead.&lt;br /&gt;
&lt;br /&gt;
== Previous versions ==&lt;br /&gt;
&lt;br /&gt;
* None&lt;br /&gt;
&lt;br /&gt;
= Mandatory discards =&lt;br /&gt;
&lt;br /&gt;
* aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks&lt;br /&gt;
* eNULL contains null-encryption ciphers (cleartext)&lt;br /&gt;
* EXPORT are legacy weak ciphers that were marked as exportable by US law&lt;br /&gt;
* RC4 contains ciphers that use the deprecated ARCFOUR algorithm&lt;br /&gt;
* DES contains ciphers that use the deprecated Data Encryption Standard&lt;br /&gt;
* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated&lt;br /&gt;
* MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm&lt;br /&gt;
&lt;br /&gt;
= Forward Secrecy =&lt;br /&gt;
&lt;br /&gt;
The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.&lt;br /&gt;
&lt;br /&gt;
With Forward Secrecy, if an attacker gets a hold of the server&#039;s private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.&lt;br /&gt;
&lt;br /&gt;
== DHE handshake and dhparam ==&lt;br /&gt;
&lt;br /&gt;
When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.&lt;br /&gt;
&lt;br /&gt;
As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:&lt;br /&gt;
[[File:Dhe_params.png|frame|server key exchange message as displayed in Wireshark]]&lt;br /&gt;
[[File:Dhe_client_params.png|frame|client key exchange message as displayed in Wireshark]]&lt;br /&gt;
# Server sends Client a [http://tools.ietf.org/html/rfc5246#section-7.4.3 SERVER KEY EXCHANGE] message during the SSL Handshake. The message contains:&lt;br /&gt;
## Prime number &#039;&#039;p&#039;&#039;&lt;br /&gt;
## Generator &#039;&#039;g&#039;&#039;&lt;br /&gt;
## Server&#039;s Diffie-Hellman public value &#039;&#039;A = g^X mod p&#039;&#039;, where &#039;&#039;X&#039;&#039; is a private integer chosen by the server at random, and never shared with the client. (note: A is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
## signature &#039;&#039;S&#039;&#039; of the above (plus two random values) computed using the Server&#039;s private RSA key&lt;br /&gt;
# Client verifies the signature &#039;&#039;S&#039;&#039;&lt;br /&gt;
# Client sends server a [http://tools.ietf.org/html/rfc5246#section-7.4.7 CLIENT KEY EXCHANGE] message. The message contains:&lt;br /&gt;
## Client&#039;s Diffie-Hellman public value &#039;&#039;B = g^Y mod p&#039;&#039;, where &#039;&#039;Y&#039;&#039; is a private integer chosen at random and never shared. (note: B is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
# The Server and the Client can now calculate the pre-master secret using each other&#039;s public values:&lt;br /&gt;
## server calculates &#039;&#039;PMS = B^X mod p&#039;&#039;&lt;br /&gt;
## client calculates &#039;&#039;PMS = A^Y mod p&#039;&#039;&lt;br /&gt;
# Client sends a [http://tools.ietf.org/html/rfc5246#section-7.1 CHANGE CIPHER SPEC] message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES&lt;br /&gt;
&lt;br /&gt;
The size of the prime number &#039;&#039;p&#039;&#039; constrains the size of the pre-master key &#039;&#039;PMS&#039;&#039;, because of the modulo operation. A smaller prime almost means weaker values of &#039;&#039;A&#039;&#039; and &#039;&#039;B&#039;&#039;, which could leak the secret values &#039;&#039;X&#039;&#039; and &#039;&#039;Y&#039;&#039;. Thus, the prime &#039;&#039;p&#039;&#039; should not be smaller than the size of the RSA private key.&lt;br /&gt;
&lt;br /&gt;
== Pre-defined DHE groups ==&lt;br /&gt;
&lt;br /&gt;
Instead of using pre-configured DH groups, or generating their own with &amp;quot;openssl dhparam&amp;quot;, operators should use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919].  These groups are audited and may be more resistant to attacks than ones randomly generated.&lt;br /&gt;
&lt;br /&gt;
Note: if you must support old Java clients, Dh groups larger than 1024 bits may block connectivity (see [[#DHE_and_Java]]).&lt;br /&gt;
&lt;br /&gt;
=== ffdhe2048 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe3072 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu&lt;br /&gt;
N///////////AgEC&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe4096 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e&lt;br /&gt;
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx&lt;br /&gt;
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K&lt;br /&gt;
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== DHE and ECDHE support ==&lt;br /&gt;
Most modern clients that support both ECDHE and DHE typically prefer the former, because ECDHE provides faster handshakes than DHE ([http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html]).&lt;br /&gt;
&lt;br /&gt;
Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:&lt;br /&gt;
* Android &amp;lt; 3.0.0&lt;br /&gt;
* Java &amp;lt; 7&lt;br /&gt;
* OpenSSL &amp;lt; 1.0.0&lt;br /&gt;
&lt;br /&gt;
Note that schannel on Windows XP technically support DHE, but only with DSA keys, making it unusable on the internet in practice.&lt;br /&gt;
&lt;br /&gt;
== DHE and Java ==&lt;br /&gt;
Java 6 and 7 do not support Diffie-Hellman parameters larger than 1024 bits. If your server expects to receive connections from java 6 clients and wants to enable PFS, it must provide a DHE parameter of 1024 bits.&lt;br /&gt;
&lt;br /&gt;
If keeping the compatibility with Java &amp;lt; 7 is a necessity, thus preventing the use of large DH keys, three solutions are available:&lt;br /&gt;
* using custom 1024-bit DH parameters, different from Oakley group 2, preferably generated with &#039;&#039;&#039;openssl dhparam 1024&#039;&#039;&#039; ;&lt;br /&gt;
* if the software used does not support custom DH parameters, like Apache HTTPd &amp;lt; 2.2.30, it is possible to keep using the 1024-bit DH Oakley group 2, knowing these clients may be at risk of a compromise;&lt;br /&gt;
* it is also possible to completely disable DHE. This means that clients not supporting ECDHE will be reverting to static RSA, giving up Forward Secrecy.&lt;br /&gt;
&lt;br /&gt;
The case of Java 7 is a bit different. Java 7 supports ECDHE ciphers, so if the server provides ECDHE and prioritizes it before DHE ciphers using server side ordering, then Java 7 will use ECDHE and not care about the size of the DHE parameter. In this situation, the server can use 2048 bits DHE parameters for all other clients.&lt;br /&gt;
&lt;br /&gt;
However, if the server does not support ECDHE, then Java 7 will use DHE and fail if the parameter is larger than 1024 bits. When failing, the handshake will not attempt to fall back to the next cipher in line, but simply fail with the error &amp;quot;java.lang.RuntimeException: Could not generate DH keypair&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Java supported !! ECDHE prioritized !! smallest DH parameter size&lt;br /&gt;
|-&lt;br /&gt;
|  6 || irrelevant || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || NO || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || YES || 2048&lt;br /&gt;
|-&lt;br /&gt;
|  8 || irrelevant || 2048&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= OCSP Stapling =&lt;br /&gt;
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.&lt;br /&gt;
&lt;br /&gt;
OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. In fact, the OCSP responders operated by CAs are often so unreliable that browser will fail silently if no response is received in a timely manner. This reduces security, by allowing an attacker to DoS an OCSP responder to disable the validation.&lt;br /&gt;
&lt;br /&gt;
The solution is to allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.&lt;br /&gt;
&lt;br /&gt;
The server will send a cached OCSP response only if the client requests it, by announcing support for the &#039;&#039;&#039;status_request&#039;&#039;&#039; TLS extension in its CLIENT HELLO.&lt;br /&gt;
&lt;br /&gt;
[[File:OCSP_Stapling.png]]&lt;br /&gt;
&lt;br /&gt;
Most servers will cache OCSP response for up to 48 hours. At regular intervals, the server will connect to the OCSP responder of the CA to retrieve a fresh OCSP record. The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate. For example, with StartSSL:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Authority Information Access:&lt;br /&gt;
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Support for OCSP Stapling can be tested using the &#039;&#039;&#039;-status&#039;&#039;&#039; option of the OpenSSL client.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
$ openssl s_client -connect monitor.mozillalabs.com:443 -status&lt;br /&gt;
...&lt;br /&gt;
======================================&lt;br /&gt;
OCSP Response Data:&lt;br /&gt;
    OCSP Response Status: successful (0x0)&lt;br /&gt;
    Response Type: Basic OCSP Response&lt;br /&gt;
    Version: 1 (0x0)&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Session Resumption =&lt;br /&gt;
&lt;br /&gt;
Session Resumption is the ability to reuse the session secrets previously negotiated between a client and a server for a new TLS connection. This feature greatly increases the speed establishment of TLS connections after the first handshake, and is very useful for connections that use Perfect Forward Secrecy with a slow handshake like DHE.&lt;br /&gt;
&lt;br /&gt;
Session Resumption can be performed using one of two methods:&lt;br /&gt;
&lt;br /&gt;
# session identifier: When establishing a first session, the server generates an arbitrary session ID sent to the client. On subsequent connections, the client sends the session ID in the CLIENT HELLO message, indicating to the server it wants to reuse an existing state. If the server can find a corresponding state in its local cache, it reuse the session secrets and skips directly to exchanging encrypted data with the client. If the cache stored on the server is compromised, session keys from the cache can be used to decrypt past and future sessions.&lt;br /&gt;
# session tickets: Storing a cache on the server might be problematic for systems that handle very large numbers of clients. Session tickets provide an alternative where the server sends the encrypted state (ticket) to the client instead of storing it in its local cache. The client can send back the encrypted state to the server in subsequent connections, thus allowing session resumption. This method requires symmetric keys on the server to encrypt and decrypt session tickets. If the keys are compromised, an attacker obtains access to session keys and can decrypt past and future sessions.&lt;br /&gt;
&lt;br /&gt;
Session resumption is a very useful performance feature of TLS, but also carries a significant amount of risk. Most servers do not purge sessions or ticket keys, thus increasing the risk that a server compromise would leak data from previous (and future) connections.&lt;br /&gt;
&lt;br /&gt;
The current recommendation for web servers is to enable session resumption and benefit from the performance improvement, but to restart servers daily when possible. This ensure that sessions get purged and ticket keys get renewed on a regular basis.&lt;br /&gt;
&lt;br /&gt;
= HSTS: HTTP Strict Transport Security =&lt;br /&gt;
&lt;br /&gt;
[https://tools.ietf.org/html/rfc6797 HSTS] is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.&lt;br /&gt;
&lt;br /&gt;
The header format is very simple, composed only of a &#039;&#039;&#039;max-age&#039;&#039;&#039; parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15768000 seconds, or 6 months.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=15768000&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HSTS is becoming more and more of a standard, but should only be used when the site&#039;s operators are confident that HTTPS will be available continuously for the duration of max-age. Once the HSTS header is sent to client, HTTPS cannot be disabled on the site until the last client has expired its HSTS record.&lt;br /&gt;
&lt;br /&gt;
= HPKP: Public Key Pinning Extension for HTTP =&lt;br /&gt;
&lt;br /&gt;
See [http://tools.ietf.org/html/rfc7469 RFC7469].&lt;br /&gt;
&lt;br /&gt;
HPKP is an &#039;&#039;&#039;experimental&#039;&#039;&#039; HTTP header sent by a server to a client, to indicate that some certificates related to the site should be pinned in the client. The client would thus refuse to establish a connection to the server if the pining does not comply.&lt;br /&gt;
&lt;br /&gt;
Due to its experimental nature, HPKP is currently &#039;&#039;&#039;not&#039;&#039;&#039; recommended on production sites. More informations can be found on the [https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page].&lt;br /&gt;
&lt;br /&gt;
= Certificates Switching =&lt;br /&gt;
&lt;br /&gt;
Certificates Switching is a technique by which a server provides a different X.509 certificate to a client based on specific selection criteria. This technique is used primarily to maintain backward compatibility with very old clients, such as Internet Explorer 6 on Windows XP SP2.&lt;br /&gt;
&lt;br /&gt;
On XPSP2, IE6 is only able to establish connections to servers that provide a certificate signed with sha1WithRSAEncryption. Those certificates are not issued by modern CAs anymore, and all sites have been encouraged to upgrade to SHA-256 certificates. As modern browsers gradually block connections backed by SHA-1 certificates, sites that need to maintain compatibility with XPSP2 must implement certificates switching to provide a SHA-1 cert to old clients and a SHA-256 cert to modern ones.&lt;br /&gt;
&lt;br /&gt;
Certificate switching can be implemented in various ways. A simplistic approach is to select the certificate based on the protocol version (SHA-256 to TLS clients, SHA-1 to SSLv3 ones). A more sophisticated approach consists at looking inside the CLIENT HELLO for SHA-256 support in the &amp;quot;signature_algorithms&amp;quot; extension.&lt;br /&gt;
&lt;br /&gt;
Few servers currently support cert switching. It is possible to implement it using [https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SHA1/SHA256-certificate-switching-with-HAProxy HAProxy], and vendors like Cloudflare propose it in their offering.&lt;br /&gt;
&lt;br /&gt;
= Recommended Server Configurations =&lt;br /&gt;
&lt;br /&gt;
All configuration samples have been moved to the configuration generator and the [[Security/TLS_Configurations]] archive. Access the generator by clicking the image below:&lt;br /&gt;
&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
&lt;br /&gt;
= Tools =&lt;br /&gt;
== CipherScan ==&lt;br /&gt;
&lt;br /&gt;
See https://github.com/jvehent/cipherscan&lt;br /&gt;
&lt;br /&gt;
Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It&#039;s an easy way to test a web server for available ciphers, PFS key size, elliptic curves, support for OCSP Stapling, TLS ticket lifetime and certificate trust.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
$ ./cipherscan jve.linuxwall.info&lt;br /&gt;
..........................&lt;br /&gt;
prio  ciphersuite                  protocols              pfs_keysize&lt;br /&gt;
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,4096bits&lt;br /&gt;
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,4096bits&lt;br /&gt;
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
12    AES128-GCM-SHA256            TLSv1.2&lt;br /&gt;
13    AES256-GCM-SHA384            TLSv1.2&lt;br /&gt;
14    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
15    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
16    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
17    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
18    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
19    AES256-SHA256                TLSv1.2&lt;br /&gt;
20    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
21    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
22    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
23    AES128-SHA256                TLSv1.2&lt;br /&gt;
24    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
25    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
&lt;br /&gt;
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature&lt;br /&gt;
TLS ticket lifetime hint: 300&lt;br /&gt;
OCSP stapling: supported&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== SSL Labs (Qualys) ==&lt;br /&gt;
&lt;br /&gt;
Available here: https://www.ssllabs.com/ssltest/&lt;br /&gt;
&lt;br /&gt;
Qualys SSL Labs provides a comprehensive SSL testing suite.&lt;br /&gt;
&lt;br /&gt;
GlobalSign has a modified interface of SSL Labs that is interesting as well: https://sslcheck.globalsign.com/&lt;br /&gt;
&lt;br /&gt;
= Attacks on SSL and TLS =&lt;br /&gt;
== BEAST (CVE-2011-3389) ==&lt;br /&gt;
&lt;br /&gt;
Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a  MITM attacker to recover plaintext values by encrypting the same message multiple times.&lt;br /&gt;
&lt;br /&gt;
BEAST is mitigated in TLS1.1 and above.&lt;br /&gt;
&lt;br /&gt;
more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack&lt;br /&gt;
&lt;br /&gt;
== LUCKY13 ==&lt;br /&gt;
&lt;br /&gt;
Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.&lt;br /&gt;
&lt;br /&gt;
more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html&lt;br /&gt;
&lt;br /&gt;
== RC4 weaknesses ==&lt;br /&gt;
&lt;br /&gt;
As of February 2015, the IETF explicitely prohibits the use of RC4: [http://www.ietf.org/rfc/rfc7465.txt RFC 7465].&lt;br /&gt;
&lt;br /&gt;
It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large number of times, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to remove RC4 from the list of trusted ciphers.&lt;br /&gt;
&lt;br /&gt;
In a public discussion ([https://bugzilla.mozilla.org/show_bug.cgi?id=927045 bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.&lt;br /&gt;
 &lt;br /&gt;
While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing RC4 with 3DES is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.&lt;br /&gt;
&lt;br /&gt;
The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.&lt;br /&gt;
&lt;br /&gt;
more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls&lt;br /&gt;
&lt;br /&gt;
== BREACH ==&lt;br /&gt;
&lt;br /&gt;
This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).&lt;br /&gt;
&lt;br /&gt;
In order to be successful, it requires to:&lt;br /&gt;
&lt;br /&gt;
# Be served from a server that uses HTTP-level compression&lt;br /&gt;
# Reflect user-input in HTTP response bodies&lt;br /&gt;
# Reflect a secret (such as a CSRF token) in HTTP response bodies&lt;br /&gt;
&lt;br /&gt;
more: http://breachattack.com/&lt;br /&gt;
&lt;br /&gt;
== POODLE ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 CVE-2014-3566]) ==&lt;br /&gt;
&lt;br /&gt;
POODLE is an attack on the padding used by SSLv3. It is a significant improvement of the BEAST attack which led the cryptography community to recommend disabling SSLv3 globally.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
&#039;&#039;If you can arrange the message to be the correct length then the last block is 15 arbitrary bytes and the padding length (15). Then you arrange an interesting byte to be in the last position of a different block and duplicate that block to the end. If the record is accepted, then you know what the last byte contained because it decrypted to 15.&#039;&#039;&lt;br /&gt;
&#039;&#039;Thus the attacker needs to be able to control some of the plaintext in order to align things in the messages and needs to be able to burn lots of connections (256 per byte, roughly). Thus a secret needs to be repeated in connection after connection (i.e. a cookie).&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
source: Adam Langley in https://bugzilla.mozilla.org/show_bug.cgi?id=1076983#c29&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Daniel Stenberg (Mozilla, cUrl) has a good description of the exploitability of POODLE in http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/&lt;br /&gt;
&lt;br /&gt;
Our guidelines maintain support for SSLv3 in the Old configuration only. This is required for clients on Windows XP service pack 1 &amp;amp; 2 that do not have support for TLSv1.0. Internet Explorer and Chrome on those platforms are impacted. Mozilla wants to be reachable from very old clients, to allow them to download a better browser. Therefore, we maintain SSLv3 compatibility on a limited number of sites. But all sites that do not need that level of compatibility are encouraged to implement the Intermediate configuration&lt;br /&gt;
&lt;br /&gt;
== Logjam attack on weak Diffie-Hellman ==&lt;br /&gt;
&lt;br /&gt;
The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (&amp;lt;= 1024 bit) Diffie Hellman groups. Modern TLS must use DH parameters of 2048 bits and above, or only use ECDHE. The modern configuration in this guide provide configurations that are not impacted by this issue. The intermediate and old configurations are impacted, and administrators are encourage to use DH parameters of 2048 bits wherever possible.&lt;br /&gt;
&lt;br /&gt;
more: https://weakdh.org&lt;br /&gt;
&lt;br /&gt;
= SSL and TLS Settings =&lt;br /&gt;
== SPDY ==&lt;br /&gt;
&lt;br /&gt;
(see also http://en.wikipedia.org/wiki/SPDY and http://www.chromium.org/spdy/spdy-protocol)&lt;br /&gt;
&lt;br /&gt;
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.&lt;br /&gt;
&lt;br /&gt;
SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.&lt;br /&gt;
&lt;br /&gt;
== TLS tickets (RFC 5077) ==&lt;br /&gt;
&lt;br /&gt;
Once a TLS handshake has been negotiated between the server and the client, both may exchange a session ticket, which contains the session and is usually encrypted with AES-CBC 128bit. This AES key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it&#039;s stored in a file and also kept upon restarts).&lt;br /&gt;
&lt;br /&gt;
The key that encrypts TLS tickets in servers is very hard to manage and potentially introduces a security risk if not renewed regularly: if a server is breached, the key can be stolen and used to decrypt recorded TLS tickets, thus leaking session keys. TLS tickets do bring a performance benefit because of session resumption, but administrators that are more concerned about security than performance may want to disable them entirely. The trade-off we recommend is to implement restarts of web servers and force deletion of local caches to renew encryption keys.&lt;br /&gt;
&lt;br /&gt;
more information: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf&lt;br /&gt;
&lt;br /&gt;
= Cipher suites =&lt;br /&gt;
&lt;br /&gt;
Different libraries support different cipher suites and refer to them by different names. Mozilla maintains a list of [[Security/Cipher Suites|all known cipher suites]] and their corresponding names.&lt;br /&gt;
&lt;br /&gt;
== GnuTLS ciphersuite ==&lt;br /&gt;
&lt;br /&gt;
Unlike OpenSSL, GnuTLS will panic if you give it ciphers aren&#039;t supported by the library. That makes it very difficult to share a default ciphersuite to use in GnuTLS. The next best thing is using the following ciphersuite, and removing the components that break on your own version:&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
A ciphersuite can be tested in GnuTLS using &#039;&#039;&#039;gnutls-cli&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --version&lt;br /&gt;
gnutls-cli 3.1.26&lt;br /&gt;
&lt;br /&gt;
$ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
Cipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_GCM_SHA256                    0xc0, 0x2f  TLS1.2&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA256                    0xc0, 0x27  TLS1.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA1                      0xc0, 0x13  SSL3.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_256_CBC_SHA1                      0xc0, 0x14  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_GCM_SHA256                      0x00, 0x9e  TLS1.2&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA256                      0x00, 0x67  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA1                        0x00, 0x33  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA256                      0x00, 0x6b  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA1                        0x00, 0x39  SSL3.0&lt;br /&gt;
TLS_RSA_AES_128_GCM_SHA256                          0x00, 0x9c  TLS1.2&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.0&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0&lt;br /&gt;
&lt;br /&gt;
Certificate types: none&lt;br /&gt;
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0&lt;br /&gt;
Compression: COMP-NULL&lt;br /&gt;
Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1&lt;br /&gt;
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-SHA224, SIGN-RSA-SHA1, SIGN-DSA-SHA256, SIGN-DSA-SHA224, SIGN-DSA-SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A good way to debug the ciphersuite is by performing a test connection. If the ciphersuite isn&#039;t supported, gnutls-cli will stop reading it at the component that is causing the issue.&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --debug 9999 google.com --priority &#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&lt;br /&gt;
|&amp;lt;2&amp;gt;| ASSERT: gnutls_priority.c:812&lt;br /&gt;
Syntax error at: +SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
In the example above, the component SIGN-RSA-SHA224 is not supported by this version of gnutls and should be removed from the ciphersuite.&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | April King&lt;br /&gt;
| Updated cipher suite table&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Cipher_Suites&amp;diff=1212842</id>
		<title>Security/Cipher Suites</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Cipher_Suites&amp;diff=1212842"/>
		<updated>2019-05-24T22:24:38Z</updated>

		<summary type="html">&lt;p&gt;Apking: Fix broken link&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Cipher suite correspondence table =&lt;br /&gt;
IANA, OpenSSL and GnuTLS use different naming for the same ciphers. The table below lists each cipher as well as its corresponding Mozilla [[Security/Server Side TLS|Server Side TLS]] compatibility level.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | Hex&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | Priority&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | IANA&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | GnuTLS&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | NSS&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | OpenSSL&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x02&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x03&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 2&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x01&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2F&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2B&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 7&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x30&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 8&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2C&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 9&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9E&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 10&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA2&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9F&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 13&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x27&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 14&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x23&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 15&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x13&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 16&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x09&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 17&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x28&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 18&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x24&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 19&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x14&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0A&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 21&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x67&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 22&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x33&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 23&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x40&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 24&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6B&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 25&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x38&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 26&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x39&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9C&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 28&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9D&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 29&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3C&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 30&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3D&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2F&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 32&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x35&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 33&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAF&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 34&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 35&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 36&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9F&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 37&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 38&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 39&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA2&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 40&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9E&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 41&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6A&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 42&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x32&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 43&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 44&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9D&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 45&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA0&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 46&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9C&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 47&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 48&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5D&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 49&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x61&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 50&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x57&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 51&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x53&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 52&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5C&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 53&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x60&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 54&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x56&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 55&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x52&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 56&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x73&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x77&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 58&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-RSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC4&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 59&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 60&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x72&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 61&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x76&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 62&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBE&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBD&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 64&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x88&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 65&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x87&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 66&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x45&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 67&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x44&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 68&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x51&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 69&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x50&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC0&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 71&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 72&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x84&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 73&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x41&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 74&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9A&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x99&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 76&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x96&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 77&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_NULL_WITH_NULL_NULL&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_NULL_WITH_NULL_NULL&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_ARCFOUR_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x06&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x07&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x08&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x09&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x10&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x11&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x12&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x13&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x14&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x15&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x16&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x17&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x18&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_ARCFOUR_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x19&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x20&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x21&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x22&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_DES_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x23&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_3DES_EDE_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x24&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x25&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_IDEA_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x26&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x27&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x28&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC4_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x29&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x30&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x31&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x34&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x36&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x37&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x42&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x43&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x46&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x68&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x69&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x85&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x86&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x89&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x90&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x91&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x92&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x93&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x94&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x95&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x97&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x98&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xFF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_EMPTY_RENEGOTIATION_INFO_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_EMPTY_RENEGOTIATION_INFO_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | Unassigned&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_8_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_8_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x56,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_FALLBACK_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_FALLBACK_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x06&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x07&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x08&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x10&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x11&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x12&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x15&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x16&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x17&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x18&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x19&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x20&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x21&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x22&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x25&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x26&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x29&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x31&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x32&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x33&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x34&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x35&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x36&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x37&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x38&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x39&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x40&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x41&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x42&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x43&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x44&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x45&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x46&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x47&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x48&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x49&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x54&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x55&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x58&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x59&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x62&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x63&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x64&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x65&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x66&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x67&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x68&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x69&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x70&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x71&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x74&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x75&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x78&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x79&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x80&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x81&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x82&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x83&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x84&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x85&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x86&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x87&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x88&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x89&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x90&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x91&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x92&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x93&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x94&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x95&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x96&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x97&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x98&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x99&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_DHE_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_DHE_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_256_CCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SHA256_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SHA384_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC1,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC1,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC1,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_GOSTR341112_256_WITH_28147_CNT_IMIT&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | Unassigned&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | Unassigned&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The table above was automatically generated via: [https://github.com/april/tls-table/blob/master/tls-table.py https://github.com/april/tls-table/blob/master/tls-table.py], and was last updated in May 2019.&lt;br /&gt;
&lt;br /&gt;
Colors correspond to the [[#Modern_compatibility|&amp;lt;span style=&amp;quot;color: #008000; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;]], [[#Intermediate_compatibility_.28default.29|&amp;lt;span style=&amp;quot;color: #FFA500; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;]], and [[#Old_backward_compatibility|&amp;lt;span style=&amp;quot;color: #808080; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;]] compatibility levels. Each compatibility level is a superset of the more modern levels above it.&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Cipher_Suites&amp;diff=1212841</id>
		<title>Security/Cipher Suites</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Cipher_Suites&amp;diff=1212841"/>
		<updated>2019-05-24T22:22:46Z</updated>

		<summary type="html">&lt;p&gt;Apking: Create Cipher Suites page&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;= Cipher suite correspondence table =&lt;br /&gt;
IANA, OpenSSL and GnuTLS use different naming for the same ciphers. The table below lists each cipher as well as its corresponding Mozilla [[Server Side TLS]] compatibility level.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | Hex&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | Priority&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | IANA&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | GnuTLS&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | NSS&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | OpenSSL&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x02&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x03&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 2&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x01&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2F&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2B&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 7&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x30&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 8&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2C&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 9&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9E&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 10&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA2&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9F&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 13&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x27&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 14&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x23&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 15&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x13&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 16&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x09&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 17&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x28&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 18&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x24&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 19&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x14&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0A&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 21&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x67&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 22&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x33&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 23&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x40&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 24&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6B&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 25&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x38&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 26&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x39&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9C&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 28&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9D&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 29&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3C&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 30&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3D&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2F&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 32&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x35&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 33&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAF&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 34&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 35&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 36&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9F&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 37&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 38&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 39&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA2&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 40&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9E&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 41&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6A&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 42&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x32&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 43&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 44&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9D&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 45&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA0&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 46&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9C&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 47&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 48&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5D&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 49&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x61&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 50&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x57&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 51&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x53&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 52&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5C&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 53&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x60&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 54&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x56&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 55&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x52&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 56&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x73&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 57&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x77&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 58&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-RSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC4&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 59&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 60&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x72&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 61&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-ECDSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x76&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 62&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ECDHE-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBE&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 63&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBD&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 64&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x88&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 65&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x87&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 66&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x45&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 67&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x44&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 68&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x51&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 69&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x50&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 70&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC0&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 71&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 72&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x84&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 73&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x41&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 74&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9A&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 75&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x99&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 76&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x96&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 77&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_NULL_WITH_NULL_NULL&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_NULL_WITH_NULL_NULL&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_ARCFOUR_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x06&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x07&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x08&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x09&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x10&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x11&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x12&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x13&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x14&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x15&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x16&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x17&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x18&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_ARCFOUR_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x19&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x20&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x21&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x22&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_DES_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x23&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_3DES_EDE_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x24&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x25&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_IDEA_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x26&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x27&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x28&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC4_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x29&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x30&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x31&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x34&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x36&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x37&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x42&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x43&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x46&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x68&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x69&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x85&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x86&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x89&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x90&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x91&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x92&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x93&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x94&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x95&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x97&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x98&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xFF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_EMPTY_RENEGOTIATION_INFO_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_EMPTY_RENEGOTIATION_INFO_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | Unassigned&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x13,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_8_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_AES_128_CCM_8_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x56,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_FALLBACK_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_FALLBACK_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x06&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x07&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x08&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x10&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x11&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x12&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x15&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x16&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x17&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x18&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x19&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x20&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x21&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x22&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x25&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x26&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x29&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x31&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x32&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x33&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x34&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x35&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x36&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x37&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x38&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x39&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x40&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x41&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x42&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x43&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x44&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x45&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x46&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x47&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x48&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x49&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x54&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x55&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x58&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x59&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x62&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x63&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x64&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x65&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x66&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x67&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x68&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x69&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-ARIA128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-ARIA256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x70&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x71&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x74&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x75&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x78&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x79&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x80&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x81&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x82&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x83&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x84&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x85&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x86&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x87&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x88&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x89&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x90&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x91&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x92&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x93&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x94&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x95&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x96&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x97&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x98&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x99&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_DHE_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_DHE_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECCPWD_WITH_AES_256_CCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SHA256_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xB5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SHA384_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC1,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_GOSTR341112_256_WITH_KUZNYECHIK_CTR_OMAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC1,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_GOSTR341112_256_WITH_MAGMA_CTR_OMAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC1,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_GOSTR341112_256_WITH_28147_CNT_IMIT&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xCC,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CHACHA20_POLY1305&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CHACHA20-POLY1305&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | Unassigned&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | Unassigned&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xD0,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The table above was automatically generated via: [https://github.com/april/tls-table/blob/master/tls-table.py https://github.com/april/tls-table/blob/master/tls-table.py], and was last updated in May 2019.&lt;br /&gt;
&lt;br /&gt;
Colors correspond to the [[#Modern_compatibility|&amp;lt;span style=&amp;quot;color: #008000; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;]], [[#Intermediate_compatibility_.28default.29|&amp;lt;span style=&amp;quot;color: #FFA500; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;]], and [[#Old_backward_compatibility|&amp;lt;span style=&amp;quot;color: #808080; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;]] compatibility levels. Each compatibility level is a superset of the more modern levels above it.&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1164366</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1164366"/>
		<updated>2017-03-02T20:19:43Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as two years (63072000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the two years (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=63072000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next two years and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [https://csp-evaluator.withgoogle.com/ Google CSP Evaluator]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists security researchers to find testable websites and instructs them on where to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;lt;nowiki&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/nowiki&amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image.jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Disable referrers for browsers that don&#039;t support strict-origin-when-cross-origin&lt;br /&gt;
# Uses strict-origin-when-cross-origin for browsers that do&lt;br /&gt;
Referrer-Policy: no-referrer, strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;no-referrer, strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;no-referrer, strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed with X-Frame-Options and CSP&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039;&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow only framer.mozilla.org to frame site&lt;br /&gt;
# Note that this blocks framing from browsers that don&#039;t support CSP2+&lt;br /&gt;
Content-Security-Policy: frame-ancestors https://framer.mozilla.org&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on &#039;frame-ancestors&#039;]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | November, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy, tidied up XFO examples&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1157830</id>
		<title>Security/Server Side TLS</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Server_Side_TLS&amp;diff=1157830"/>
		<updated>2016-12-23T22:05:28Z</updated>

		<summary type="html">&lt;p&gt;Apking: Reverted edits by Zzq1015 (talk) to last revision by Ulfr&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; padding-left: 1em;&amp;quot;&amp;gt;The goal of this document is to help operational teams with the configuration of TLS on servers. All Mozilla sites and deployment should follow the recommendations below.&lt;br /&gt;
&lt;br /&gt;
The Operations Security (OpSec) team maintains this document as a reference guide to navigate the TLS landscape. It contains information on TLS protocols, known issues and vulnerabilities, configuration examples and testing tools. Changes are reviewed and merged by the OpSec team, and broadcasted to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/server-side-tls source repository on github].&lt;br /&gt;
&lt;br /&gt;
If you are looking for the configuration generator, click the image below:&amp;lt;br /&amp;gt;&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|500px|center|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Recommended configurations =&lt;br /&gt;
Three configurations are recommended. Pick the right configuration depending on your audience. If you do not need backward compatibility, and are building a service for modern clients only (post Firefox 27/Chrome 22), then use the Modern configuration. Otherwise, prefer the Intermediate configuration. Use the Old backward compatible configuration only if your service will be accessed by very old clients, such as Windows XP IE6, or ancient libraries &amp;amp; bots.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration !! Oldest compatible client&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, Java 8&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7&lt;br /&gt;
|-&lt;br /&gt;
|  &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; || Windows XP IE6, Java 6&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
Older versions of OpenSSL may not return the full list of algorithms. AES-GCM and some ECDHE are fairly recent, and not present on most versions of OpenSSL shipped with Ubuntu or RHEL. This listing below was obtained from a freshly built OpenSSL. If your version of OpenSSL is old, unavailable ciphers will be discarded automatically. Always use the full ciphersuite and let OpenSSL pick the ones it supports.&lt;br /&gt;
&lt;br /&gt;
The ordering of a ciphersuite is very important because it decides which algorithms are going to be selected in priority. Each level shows the list of algorithms returned by its ciphersuite. If you have to pick ciphers manually for your application, make sure you keep the ordering.&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:green;&amp;quot;&amp;gt;&#039;&#039;&#039;Modern&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility ==&lt;br /&gt;
For services that don&#039;t need backward compatibility, the parameters below provide a higher level of security. This configuration is compatible with Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;ECDSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption, ecdsa-with-SHA256, ecdsa-with-SHA384, ecdsa-with-SHA512&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039; (if not ecdsa)&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;None&#039;&#039;&#039; (disabled entirely)&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* AES256-GCM is prioritized above its 128 bits variant, and ChaCha20 because we assume that most modern devices support AESNI instructions and thus benefit from fast and constant time AES. &lt;br /&gt;
* We recommend ECDSA certificates with P256 as other curves may not be supported everywhere. RSA signatures on ECDSA certificates are permitted because very few CAs sign with ECDSA at the moment.&lt;br /&gt;
* DHE is removed entirely because it is slow in comparison with ECDHE, and all modern clients support elliptic curve key exchanges.&lt;br /&gt;
* SHA1 signature algorithm is removed in favor of SHA384 for AES256 and SHA256 for AES128.&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:orange;&amp;quot;&amp;gt;&#039;&#039;&#039;Intermediate&#039;&#039;&#039;&amp;lt;/span&amp;gt; compatibility (default) ==&lt;br /&gt;
For services that don&#039;t need compatibility with legacy clients (mostly WinXP), but still need to support a wide range of clients, this configuration is recommended. It is is compatible with Firefox 1, Chrome 1, IE 7, Opera 5 and Safari 1.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA         SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA           SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA       SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA         SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA           SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384              TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                  TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                     SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                   SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* ChaCha20 is prefered as the fastest and safest in-software cipher, followed by AES128. Unlike the modern configuration, we do not assume clients support AESNI and thus do not prioritize AES256 above 128 and ChaCha20. There has been discussions ([http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg11247.html 1], [http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg12398.html 2]) on whether AES256 extra security was worth its computing cost in software (without AESNI), and the results are far from obvious. At the moment, AES128 is preferred, because it provides good security, is really fast, and seems to be more resistant to timing attacks.&lt;br /&gt;
* DES-CBC3-SHA and EDH-RSA-DES-CBC3-SHA are maintained for backward compatibility with clients that do not support AES.&lt;br /&gt;
* While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as SEED, CAMELLIA, ...).&lt;br /&gt;
&lt;br /&gt;
== &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;&#039;&#039;&#039;Old&#039;&#039;&#039;&amp;lt;/span&amp;gt; backward compatibility ==&lt;br /&gt;
&lt;br /&gt;
This is the old ciphersuite that works with all clients back to Windows XP/IE6. It should be used as a last resort only.&lt;br /&gt;
&lt;br /&gt;
* Ciphersuites: &#039;&#039;&#039;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP&#039;&#039;&#039;&lt;br /&gt;
* Versions: &#039;&#039;&#039;TLSv1.2, TLSv1.1, TLSv1, SSLv3&#039;&#039;&#039;&lt;br /&gt;
* TLS curves: &#039;&#039;&#039;prime256v1, secp384r1, secp521r1&#039;&#039;&#039;&lt;br /&gt;
* Certificate type: &#039;&#039;&#039;RSA&#039;&#039;&#039;&lt;br /&gt;
* Certificate curve: &#039;&#039;&#039;&#039;None&#039;&#039;&#039;&lt;br /&gt;
* Certificate signature: &#039;&#039;&#039;sha256WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
* RSA key size: &#039;&#039;&#039;2048&#039;&#039;&#039;&lt;br /&gt;
* DH Parameter size: &#039;&#039;&#039;1024&#039;&#039;&#039;&lt;br /&gt;
* ECDH Parameter size: &#039;&#039;&#039;256&#039;&#039;&#039;&lt;br /&gt;
* HSTS: &#039;&#039;&#039;max-age=15768000&#039;&#039;&#039;&lt;br /&gt;
* Certificate switching: &#039;&#039;&#039;sha1WithRSAEncryption&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
0xCC,0x14  -  ECDHE-ECDSA-CHACHA20-POLY1305   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xCC,0x13  -  ECDHE-RSA-CHACHA20-POLY1305     TLSv1.2  Kx=ECDH  Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x2F  -  ECDHE-RSA-AES128-GCM-SHA256     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x2B  -  ECDHE-ECDSA-AES128-GCM-SHA256   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0xC0,0x30  -  ECDHE-RSA-AES256-GCM-SHA384     TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x2C  -  ECDHE-ECDSA-AES256-GCM-SHA384   TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9E  -  DHE-RSA-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA2  -  DHE-DSS-AES128-GCM-SHA256       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0xA3  -  DHE-DSS-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=DSS    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x9F  -  DHE-RSA-AES256-GCM-SHA384       TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0xC0,0x27  -  ECDHE-RSA-AES128-SHA256         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x23  -  ECDHE-ECDSA-AES128-SHA256       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0xC0,0x13  -  ECDHE-RSA-AES128-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x09  -  ECDHE-ECDSA-AES128-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0xC0,0x28  -  ECDHE-RSA-AES256-SHA384         TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x24  -  ECDHE-ECDSA-AES256-SHA384       TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA384&lt;br /&gt;
0xC0,0x14  -  ECDHE-RSA-AES256-SHA            SSLv3    Kx=ECDH  Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x0A  -  ECDHE-ECDSA-AES256-SHA          SSLv3    Kx=ECDH  Au=ECDSA  Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x67  -  DHE-RSA-AES128-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x33  -  DHE-RSA-AES128-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x40  -  DHE-DSS-AES128-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x6B  -  DHE-RSA-AES256-SHA256           TLSv1.2  Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x38  -  DHE-DSS-AES256-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x39  -  DHE-RSA-AES256-SHA              SSLv3    Kx=DH    Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0xC0,0x12  -  ECDHE-RSA-DES-CBC3-SHA          SSLv3    Kx=ECDH  Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0xC0,0x08  -  ECDHE-ECDSA-DES-CBC3-SHA        SSLv3    Kx=ECDH  Au=ECDSA  Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x16  -  EDH-RSA-DES-CBC3-SHA            SSLv3    Kx=DH    Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9C  -  AES128-GCM-SHA256               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(128)    Mac=AEAD&lt;br /&gt;
0x00,0x9D  -  AES256-GCM-SHA384               TLSv1.2  Kx=RSA   Au=RSA    Enc=AESGCM(256)    Mac=AEAD&lt;br /&gt;
0x00,0x3C  -  AES128-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA256&lt;br /&gt;
0x00,0x3D  -  AES256-SHA256                   TLSv1.2  Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x2F  -  AES128-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x35  -  AES256-SHA                      SSLv3    Kx=RSA   Au=RSA    Enc=AES(256)       Mac=SHA1&lt;br /&gt;
0x00,0x6A  -  DHE-DSS-AES256-SHA256           TLSv1.2  Kx=DH    Au=DSS    Enc=AES(256)       Mac=SHA256&lt;br /&gt;
0x00,0x32  -  DHE-DSS-AES128-SHA              SSLv3    Kx=DH    Au=DSS    Enc=AES(128)       Mac=SHA1&lt;br /&gt;
0x00,0x0A  -  DES-CBC3-SHA                    SSLv3    Kx=RSA   Au=RSA    Enc=3DES(168)      Mac=SHA1&lt;br /&gt;
0x00,0x9A  -  DHE-RSA-SEED-SHA                SSLv3    Kx=DH    Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0x00,0x99  -  DHE-DSS-SEED-SHA                SSLv3    Kx=DH    Au=DSS    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
0xCC,0x15  -  DHE-RSA-CHACHA20-POLY1305       TLSv1.2  Kx=DH    Au=RSA    Enc=ChaCha20(256)  Mac=AEAD&lt;br /&gt;
0xC0,0x77  -  ECDHE-RSA-CAMELLIA256-SHA384    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0xC0,0x73  -  ECDHE-ECDSA-CAMELLIA256-SHA384  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(256)  Mac=SHA384&lt;br /&gt;
0x00,0xC4  -  DHE-RSA-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0xC3  -  DHE-DSS-CAMELLIA256-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x88  -  DHE-RSA-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0x87  -  DHE-DSS-CAMELLIA256-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0x00,0xC0  -  CAMELLIA256-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA256&lt;br /&gt;
0x00,0x84  -  CAMELLIA256-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(256)  Mac=SHA1&lt;br /&gt;
0xC0,0x76  -  ECDHE-RSA-CAMELLIA128-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0xC0,0x72  -  ECDHE-ECDSA-CAMELLIA128-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBE  -  DHE-RSA-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0xBD  -  DHE-DSS-CAMELLIA128-SHA256      TLSv1.2  Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x45  -  DHE-RSA-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x44  -  DHE-DSS-CAMELLIA128-SHA         SSLv3    Kx=DH    Au=DSS    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0xBA  -  CAMELLIA128-SHA256              TLSv1.2  Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA256&lt;br /&gt;
0x00,0x41  -  CAMELLIA128-SHA                 SSLv3    Kx=RSA   Au=RSA    Enc=Camellia(128)  Mac=SHA1&lt;br /&gt;
0x00,0x96  -  SEED-SHA                        SSLv3    Kx=RSA   Au=RSA    Enc=SEED(128)      Mac=SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Rationale:&lt;br /&gt;
* You should take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only, and most servers should use the intermediate configuration instead.&lt;br /&gt;
* SSLv3 is enabled to support WinXP SP2 clients on IE.&lt;br /&gt;
* SHA1 certificates are authorized but only via certificate switching, meaning the server must implement custom logic to provide a SHA1 certs to old clients, and SHA256 certs to all others. More information in the &amp;quot;Certificates Switching&amp;quot; section later in this document.&lt;br /&gt;
* Most ciphers that are not clearly broken and dangerous to use are supported&lt;br /&gt;
&lt;br /&gt;
= JSON version of the recommendations =&lt;br /&gt;
&lt;br /&gt;
You can find the recommendations above in JSON format at the address [https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json https://statics.tls.security.mozilla.org/server-side-tls-conf-4.0.json].&lt;br /&gt;
&lt;br /&gt;
This location is permanent and can be referenced in scripts and tools. The file is versioned and will not change, to avoid breaking tools when we update the recommendations.&lt;br /&gt;
&lt;br /&gt;
If you wish to point to the latest version of the recommendations, use this address: [[https://statics.tls.security.mozilla.org/server-side-tls-conf.json https://statics.tls.security.mozilla.org/server-side-tls-conf.json].&lt;br /&gt;
Be advised the above will always point to the latest version and &#039;&#039;&#039;will not provide backward compatibility&#039;&#039;&#039;.&lt;br /&gt;
If you use it to automatically configure your servers without review, it may break things. Prefer the version-specific files instead.&lt;br /&gt;
&lt;br /&gt;
== Previous versions ==&lt;br /&gt;
&lt;br /&gt;
* None&lt;br /&gt;
&lt;br /&gt;
= Mandatory discards =&lt;br /&gt;
&lt;br /&gt;
* aNULL contains non-authenticated Diffie-Hellman key exchanges, that are subject to Man-In-The-Middle (MITM) attacks&lt;br /&gt;
* eNULL contains null-encryption ciphers (cleartext)&lt;br /&gt;
* EXPORT are legacy weak ciphers that were marked as exportable by US law&lt;br /&gt;
* RC4 contains ciphers that use the deprecated ARCFOUR algorithm&lt;br /&gt;
* DES contains ciphers that use the deprecated Data Encryption Standard&lt;br /&gt;
* SSLv2 contains all ciphers that were defined in the old version of the SSL standard, now deprecated&lt;br /&gt;
* MD5 contains all the ciphers that use the deprecated message digest 5 as the hashing algorithm&lt;br /&gt;
&lt;br /&gt;
= Forward Secrecy =&lt;br /&gt;
&lt;br /&gt;
The concept of forward secrecy is simple: client and server negotiate a key that never hits the wire, and is destroyed at the end of the session. The RSA private from the server is used to sign a Diffie-Hellman key exchange between the client and the server. The pre-master key obtained from the Diffie-Hellman handshake is then used for encryption. Since the pre-master key is specific to a connection between a client and a server, and used only for a limited amount of time, it is called Ephemeral.&lt;br /&gt;
&lt;br /&gt;
With Forward Secrecy, if an attacker gets a hold of the server&#039;s private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.&lt;br /&gt;
&lt;br /&gt;
== DHE handshake and dhparam ==&lt;br /&gt;
&lt;br /&gt;
When an ephemeral Diffie-Hellman cipher is used, the server and the client negotiate a pre-master key using the Diffie-Hellman algorithm. This algorithm requires that the server sends the client a prime number and a generator. Neither are confidential, and are sent in clear text. However, they must be signed, such that a MITM cannot hijack the handshake.&lt;br /&gt;
&lt;br /&gt;
As an example, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 works as follow:&lt;br /&gt;
[[File:Dhe_params.png|frame|server key exchange message as displayed in Wireshark]]&lt;br /&gt;
[[File:Dhe_client_params.png|frame|client key exchange message as displayed in Wireshark]]&lt;br /&gt;
# Server sends Client a [http://tools.ietf.org/html/rfc5246#section-7.4.3 SERVER KEY EXCHANGE] message during the SSL Handshake. The message contains:&lt;br /&gt;
## Prime number &#039;&#039;p&#039;&#039;&lt;br /&gt;
## Generator &#039;&#039;g&#039;&#039;&lt;br /&gt;
## Server&#039;s Diffie-Hellman public value &#039;&#039;A = g^X mod p&#039;&#039;, where &#039;&#039;X&#039;&#039; is a private integer chosen by the server at random, and never shared with the client. (note: A is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
## signature &#039;&#039;S&#039;&#039; of the above (plus two random values) computed using the Server&#039;s private RSA key&lt;br /&gt;
# Client verifies the signature &#039;&#039;S&#039;&#039;&lt;br /&gt;
# Client sends server a [http://tools.ietf.org/html/rfc5246#section-7.4.7 CLIENT KEY EXCHANGE] message. The message contains:&lt;br /&gt;
## Client&#039;s Diffie-Hellman public value &#039;&#039;B = g^Y mod p&#039;&#039;, where &#039;&#039;Y&#039;&#039; is a private integer chosen at random and never shared. (note: B is called &#039;&#039;pubkey&#039;&#039; in wireshark)&lt;br /&gt;
# The Server and the Client can now calculate the pre-master secret using each other&#039;s public values:&lt;br /&gt;
## server calculates &#039;&#039;PMS = B^X mod p&#039;&#039;&lt;br /&gt;
## client calculates &#039;&#039;PMS = A^Y mod p&#039;&#039;&lt;br /&gt;
# Client sends a [http://tools.ietf.org/html/rfc5246#section-7.1 CHANGE CIPHER SPEC] message to the server, and both parties continue the handshake using ENCRYPTED HANDSHAKE MESSAGES&lt;br /&gt;
&lt;br /&gt;
The size of the prime number &#039;&#039;p&#039;&#039; constrains the size of the pre-master key &#039;&#039;PMS&#039;&#039;, because of the modulo operation. A smaller prime almost means weaker values of &#039;&#039;A&#039;&#039; and &#039;&#039;B&#039;&#039;, which could leak the secret values &#039;&#039;X&#039;&#039; and &#039;&#039;Y&#039;&#039;. Thus, the prime &#039;&#039;p&#039;&#039; should not be smaller than the size of the RSA private key.&lt;br /&gt;
&lt;br /&gt;
== Pre-defined DHE groups ==&lt;br /&gt;
&lt;br /&gt;
Instead of using pre-configured DH groups, or generating their own with &amp;quot;openssl dhparam&amp;quot;, operators should use the pre-defined DH groups ffdhe2048, ffdhe3072 or ffdhe4096 recommended by the IETF in [RFC 7919 https://tools.ietf.org/html/rfc7919].  These groups are audited and may be more resistant to attacks than ones randomly generated.&lt;br /&gt;
&lt;br /&gt;
Note: if you must support old Java clients, Dh groups larger than 1024 bits may block connectivity (see [[#DHE_and_Java]]).&lt;br /&gt;
&lt;br /&gt;
=== ffdhe2048 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe3072 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu&lt;br /&gt;
N///////////AgEC&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== ffdhe4096 ===&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
-----BEGIN DH PARAMETERS-----&lt;br /&gt;
MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz&lt;br /&gt;
+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a&lt;br /&gt;
87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7&lt;br /&gt;
YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi&lt;br /&gt;
7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD&lt;br /&gt;
ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3&lt;br /&gt;
7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32&lt;br /&gt;
nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e&lt;br /&gt;
8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx&lt;br /&gt;
iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K&lt;br /&gt;
zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=&lt;br /&gt;
-----END DH PARAMETERS-----&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== DHE and ECDHE support ==&lt;br /&gt;
Most modern clients that support both ECDHE and DHE typically prefer the former, because ECDHE provides faster handshakes than DHE ([http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html], [http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html]).&lt;br /&gt;
&lt;br /&gt;
Unfortunately, some widely used clients lack support for ECDHE and must then rely on DHE to provide perfect forward secrecy:&lt;br /&gt;
* Android &amp;lt; 3.0.0&lt;br /&gt;
* Java &amp;lt; 7&lt;br /&gt;
* OpenSSL &amp;lt; 1.0.0&lt;br /&gt;
&lt;br /&gt;
Note that schannel on Windows XP technically support DHE, but only with DSA keys, making it unusable on the internet in practice.&lt;br /&gt;
&lt;br /&gt;
== DHE and Java ==&lt;br /&gt;
Java 6 and 7 do not support Diffie-Hellman parameters larger than 1024 bits. If your server expects to receive connections from java 6 clients and wants to enable PFS, it must provide a DHE parameter of 1024 bits.&lt;br /&gt;
&lt;br /&gt;
If keeping the compatibility with Java &amp;lt; 7 is a necessity, thus preventing the use of large DH keys, three solutions are available:&lt;br /&gt;
* using custom 1024-bit DH parameters, different from Oakley group 2, preferably generated with &#039;&#039;&#039;openssl dhparam 1024&#039;&#039;&#039; ;&lt;br /&gt;
* if the software used does not support custom DH parameters, like Apache HTTPd &amp;lt; 2.2.30, it is possible to keep using the 1024-bit DH Oakley group 2, knowing these clients may be at risk of a compromise;&lt;br /&gt;
* it is also possible to completely disable DHE. This means that clients not supporting ECDHE will be reverting to static RSA, giving up Forward Secrecy.&lt;br /&gt;
&lt;br /&gt;
The case of Java 7 is a bit different. Java 7 supports ECDHE ciphers, so if the server provides ECDHE and prioritizes it before DHE ciphers using server side ordering, then Java 7 will use ECDHE and not care about the size of the DHE parameter. In this situation, the server can use 2048 bits DHE parameters for all other clients.&lt;br /&gt;
&lt;br /&gt;
However, if the server does not support ECDHE, then Java 7 will use DHE and fail if the parameter is larger than 1024 bits. When failing, the handshake will not attempt to fall back to the next cipher in line, but simply fail with the error &amp;quot;java.lang.RuntimeException: Could not generate DH keypair&amp;quot;.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Java supported !! ECDHE prioritized !! smallest DH parameter size&lt;br /&gt;
|-&lt;br /&gt;
|  6 || irrelevant || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || NO || 1024&lt;br /&gt;
|-&lt;br /&gt;
|  7 || YES || 2048&lt;br /&gt;
|-&lt;br /&gt;
|  8 || irrelevant || 2048&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= OCSP Stapling =&lt;br /&gt;
When connecting to a server, clients should verify the validity of the server certificate using either a Certificate Revocation List (CRL), or an Online Certificate Status Protocol (OCSP) record. The problem with CRL is that the lists have grown huge and takes forever to download.&lt;br /&gt;
&lt;br /&gt;
OCSP is much more lightweight, as only one record is retrieved at a time. But the side effect is that OCSP requests must be made to a 3rd party OCSP responder when connecting to a server, which adds latency and potential failures. In fact, the OCSP responders operated by CAs are often so unreliable that browser will fail silently if no response is received in a timely manner. This reduces security, by allowing an attacker to DoS an OCSP responder to disable the validation.&lt;br /&gt;
&lt;br /&gt;
The solution is to allow the server to send its cached OCSP record during the TLS handshake, therefore bypassing the OCSP responder. This mechanism saves a roundtrip between the client and the OCSP responder, and is called OCSP Stapling.&lt;br /&gt;
&lt;br /&gt;
The server will send a cached OCSP response only if the client requests it, by announcing support for the &#039;&#039;&#039;status_request&#039;&#039;&#039; TLS extension in its CLIENT HELLO.&lt;br /&gt;
&lt;br /&gt;
[[File:OCSP_Stapling.png]]&lt;br /&gt;
&lt;br /&gt;
Most servers will cache OCSP response for up to 48 hours. At regular intervals, the server will connect to the OCSP responder of the CA to retrieve a fresh OCSP record. The location of the OCSP responder is taken from the Authority Information Access field of the signed certificate. For example, with StartSSL:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Authority Information Access:&lt;br /&gt;
      OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Support for OCSP Stapling can be tested using the &#039;&#039;&#039;-status&#039;&#039;&#039; option of the OpenSSL client.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
$ openssl s_client -connect monitor.mozillalabs.com:443 -status&lt;br /&gt;
...&lt;br /&gt;
======================================&lt;br /&gt;
OCSP Response Data:&lt;br /&gt;
    OCSP Response Status: successful (0x0)&lt;br /&gt;
    Response Type: Basic OCSP Response&lt;br /&gt;
    Version: 1 (0x0)&lt;br /&gt;
...&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Session Resumption =&lt;br /&gt;
&lt;br /&gt;
Session Resumption is the ability to reuse the session secrets previously negotiated between a client and a server for a new TLS connection. This feature greatly increases the speed establishment of TLS connections after the first handshake, and is very useful for connections that use Perfect Forward Secrecy with a slow handshake like DHE.&lt;br /&gt;
&lt;br /&gt;
Session Resumption can be performed using one of two methods:&lt;br /&gt;
&lt;br /&gt;
# session identifier: When establishing a first session, the server generates an arbitrary session ID sent to the client. On subsequent connections, the client sends the session ID in the CLIENT HELLO message, indicating to the server it wants to reuse an existing state. If the server can find a corresponding state in its local cache, it reuse the session secrets and skips directly to exchanging encrypted data with the client. If the cache stored on the server is compromised, session keys from the cache can be used to decrypt past and future sessions.&lt;br /&gt;
# session tickets: Storing a cache on the server might be problematic for systems that handle very large numbers of clients. Session tickets provide an alternative where the server sends the encrypted state (ticket) to the client instead of storing it in its local cache. The client can send back the encrypted state to the server in subsequent connections, thus allowing session resumption. This method requires symmetric keys on the server to encrypt and decrypt session tickets. If the keys are compromised, an attacker obtains access to session keys and can decrypt past and future sessions.&lt;br /&gt;
&lt;br /&gt;
Session resumption is a very useful performance feature of TLS, but also carries a significant amount of risk. Most servers do not purge sessions or ticket keys, thus increasing the risk that a server compromise would leak data from previous (and future) connections.&lt;br /&gt;
&lt;br /&gt;
The current recommendation for web servers is to enable session resumption and benefit from the performance improvement, but to restart servers daily when possible. This ensure that sessions get purged and ticket keys get renewed on a regular basis.&lt;br /&gt;
&lt;br /&gt;
= HSTS: HTTP Strict Transport Security =&lt;br /&gt;
&lt;br /&gt;
[https://tools.ietf.org/html/rfc6797 HSTS] is a HTTP header sent by a server to a client, indicating that the current site must only be accessed over HTTPS until expiration of the HSTS value is reached.&lt;br /&gt;
&lt;br /&gt;
The header format is very simple, composed only of a &#039;&#039;&#039;max-age&#039;&#039;&#039; parameter that indicates when the directive should expire. max-age is expressed in seconds. A typical value is 15768000 seconds, or 6 months.&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Strict-Transport-Security: max-age=15768000&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
HSTS is becoming more and more of a standard, but should only be used when the site&#039;s operators are confident that HTTPS will be available continuously for the duration of max-age. Once the HSTS header is sent to client, HTTPS cannot be disabled on the site until the last client has expired its HSTS record.&lt;br /&gt;
&lt;br /&gt;
= HPKP: Public Key Pinning Extension for HTTP =&lt;br /&gt;
&lt;br /&gt;
See [http://tools.ietf.org/html/rfc7469 RFC7469].&lt;br /&gt;
&lt;br /&gt;
HPKP is an &#039;&#039;&#039;experimental&#039;&#039;&#039; HTTP header sent by a server to a client, to indicate that some certificates related to the site should be pinned in the client. The client would thus refuse to establish a connection to the server if the pining does not comply.&lt;br /&gt;
&lt;br /&gt;
Due to its experimental nature, HPKP is currently &#039;&#039;&#039;not&#039;&#039;&#039; recommended on production sites. More informations can be found on the [https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning MDN description page].&lt;br /&gt;
&lt;br /&gt;
= Certificates Switching =&lt;br /&gt;
&lt;br /&gt;
Certificates Switching is a technique by which a server provides a different X.509 certificate to a client based on specific selection criteria. This technique is used primarily to maintain backward compatibility with very old clients, such as Internet Explorer 6 on Windows XP SP2.&lt;br /&gt;
&lt;br /&gt;
On XPSP2, IE6 is only able to establish connections to servers that provide a certificate signed with sha1WithRSAEncryption. Those certificates are not issued by modern CAs anymore, and all sites have been encouraged to upgrade to SHA-256 certificates. As modern browsers gradually block connections backed by SHA-1 certificates, sites that need to maintain compatibility with XPSP2 must implement certificates switching to provide a SHA-1 cert to old clients and a SHA-256 cert to modern ones.&lt;br /&gt;
&lt;br /&gt;
Certificate switching can be implemented in various ways. A simplistic approach is to select the certificate based on the protocol version (SHA-256 to TLS clients, SHA-1 to SSLv3 ones). A more sophisticated approach consists at looking inside the CLIENT HELLO for SHA-256 support in the &amp;quot;signature_algorithms&amp;quot; extension.&lt;br /&gt;
&lt;br /&gt;
Few servers currently support cert switching. It is possible to implement it using [https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SHA1/SHA256-certificate-switching-with-HAProxy HAProxy], and vendors like Cloudflare propose it in their offering.&lt;br /&gt;
&lt;br /&gt;
= Recommended Server Configurations =&lt;br /&gt;
&lt;br /&gt;
All configuration samples have been moved to the configuration generator and the [[Security/TLS_Configurations]] archive. Access the generator by clicking the image below:&lt;br /&gt;
&lt;br /&gt;
[[Image:Server-side-tls-config-generator.png|link=https://mozilla.github.io/server-side-tls/ssl-config-generator/]]&lt;br /&gt;
&lt;br /&gt;
= Tools =&lt;br /&gt;
== CipherScan ==&lt;br /&gt;
&lt;br /&gt;
See https://github.com/jvehent/cipherscan&lt;br /&gt;
&lt;br /&gt;
Cipherscan is a small Bash script that connects to a target and list the preferred Ciphers. It&#039;s an easy way to test a web server for available ciphers, PFS key size, elliptic curves, support for OCSP Stapling, TLS ticket lifetime and certificate trust.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;bash&amp;quot;&amp;gt;&lt;br /&gt;
$ ./cipherscan jve.linuxwall.info&lt;br /&gt;
..........................&lt;br /&gt;
prio  ciphersuite                  protocols              pfs_keysize&lt;br /&gt;
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
3     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,4096bits&lt;br /&gt;
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,4096bits&lt;br /&gt;
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits&lt;br /&gt;
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,4096bits&lt;br /&gt;
12    AES128-GCM-SHA256            TLSv1.2&lt;br /&gt;
13    AES256-GCM-SHA384            TLSv1.2&lt;br /&gt;
14    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits&lt;br /&gt;
15    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
16    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
17    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
18    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
19    AES256-SHA256                TLSv1.2&lt;br /&gt;
20    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
21    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
22    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,4096bits&lt;br /&gt;
23    AES128-SHA256                TLSv1.2&lt;br /&gt;
24    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
25    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2&lt;br /&gt;
&lt;br /&gt;
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature&lt;br /&gt;
TLS ticket lifetime hint: 300&lt;br /&gt;
OCSP stapling: supported&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== SSL Labs (Qualys) ==&lt;br /&gt;
&lt;br /&gt;
Available here: https://www.ssllabs.com/ssltest/&lt;br /&gt;
&lt;br /&gt;
Qualys SSL Labs provides a comprehensive SSL testing suite.&lt;br /&gt;
&lt;br /&gt;
GlobalSign has a modified interface of SSL Labs that is interesting as well: https://sslcheck.globalsign.com/&lt;br /&gt;
&lt;br /&gt;
= Attacks on SSL and TLS =&lt;br /&gt;
== BEAST (CVE-2011-3389) ==&lt;br /&gt;
&lt;br /&gt;
Beast is a vulnerability in the Initialization Vector (IV) of the CBC mode of AES, Camellia and a few other ciphers that use CBC mode. The attack allows a  MITM attacker to recover plaintext values by encrypting the same message multiple times.&lt;br /&gt;
&lt;br /&gt;
BEAST is mitigated in TLS1.1 and above.&lt;br /&gt;
&lt;br /&gt;
more: https://blog.torproject.org/blog/tor-and-beast-ssl-attack&lt;br /&gt;
&lt;br /&gt;
== LUCKY13 ==&lt;br /&gt;
&lt;br /&gt;
Lucky13 is another attack on CBC mode that listen for padding checks to decrypt ciphertext.&lt;br /&gt;
&lt;br /&gt;
more: https://www.imperialviolet.org/2013/02/04/luckythirteen.html&lt;br /&gt;
&lt;br /&gt;
== RC4 weaknesses ==&lt;br /&gt;
&lt;br /&gt;
As of February 2015, the IETF explicitely prohibits the use of RC4: [http://www.ietf.org/rfc/rfc7465.txt RFC 7465].&lt;br /&gt;
&lt;br /&gt;
It has been proven that RC4 biases in the first 256 bytes of a cipherstream can be used to recover encrypted text. If the same data is encrypted a very large number of times, then an attacker can apply statistical analysis to the results and recover the encrypted text. While hard to perform, this attack shows that it is time to remove RC4 from the list of trusted ciphers.&lt;br /&gt;
&lt;br /&gt;
In a public discussion ([https://bugzilla.mozilla.org/show_bug.cgi?id=927045 bug 927045]), it has been recommended to replace RC4 with 3DES. This would impact Internet Explorer 7 and 8 users that, depending on the OS, do not support AES, and will negotiate only RC4 or 3DES ciphers. Internet Explorer uses the cryptographic library “schannel”, which is OS dependent. schannel supports AES in Windows Vista, but not in Windows XP.&lt;br /&gt;
 &lt;br /&gt;
While 3DES provides more resistant cryptography, it is also 30 times slower and more cpu intensive than RC4. For large web infrastructure, the CPU cost of replacing RC4 with 3DES is non-zero. For this reason, we recommend that administrators evaluate their traffic patterns, and make the decision of replacing RC4 with 3DES on a per-case basis. At Mozilla, we evaluated that the impact on CPU usage is minor, and thus decided to replace RC4 with 3DES where backward compatibility is required.&lt;br /&gt;
&lt;br /&gt;
The root cause of the problem is information leakage that occurs when data is compressed prior to encryption. If someone can repeatedly inject and mix arbitrary content with some sensitive and relatively predictable data, and observe the resulting encrypted stream, then he will be able to extract the unknown data from it.&lt;br /&gt;
&lt;br /&gt;
more: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls&lt;br /&gt;
&lt;br /&gt;
== BREACH ==&lt;br /&gt;
&lt;br /&gt;
This is a more complex attack than CRIME, which does not require TLS-level compression (it still needs HTTP-level compression).&lt;br /&gt;
&lt;br /&gt;
In order to be successful, it requires to:&lt;br /&gt;
&lt;br /&gt;
# Be served from a server that uses HTTP-level compression&lt;br /&gt;
# Reflect user-input in HTTP response bodies&lt;br /&gt;
# Reflect a secret (such as a CSRF token) in HTTP response bodies&lt;br /&gt;
&lt;br /&gt;
more: http://breachattack.com/&lt;br /&gt;
&lt;br /&gt;
== POODLE ([http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566 CVE-2014-3566]) ==&lt;br /&gt;
&lt;br /&gt;
POODLE is an attack on the padding used by SSLv3. It is a significant improvement of the BEAST attack which led the cryptography community to recommend disabling SSLv3 globally.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;blockquote&amp;gt;&lt;br /&gt;
&#039;&#039;If you can arrange the message to be the correct length then the last block is 15 arbitrary bytes and the padding length (15). Then you arrange an interesting byte to be in the last position of a different block and duplicate that block to the end. If the record is accepted, then you know what the last byte contained because it decrypted to 15.&#039;&#039;&lt;br /&gt;
&#039;&#039;Thus the attacker needs to be able to control some of the plaintext in order to align things in the messages and needs to be able to burn lots of connections (256 per byte, roughly). Thus a secret needs to be repeated in connection after connection (i.e. a cookie).&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
source: Adam Langley in https://bugzilla.mozilla.org/show_bug.cgi?id=1076983#c29&lt;br /&gt;
&amp;lt;/blockquote&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Daniel Stenberg (Mozilla, cUrl) has a good description of the exploitability of POODLE in http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/&lt;br /&gt;
&lt;br /&gt;
Our guidelines maintain support for SSLv3 in the Old configuration only. This is required for clients on Windows XP service pack 1 &amp;amp; 2 that do not have support for TLSv1.0. Internet Explorer and Chrome on those platforms are impacted. Mozilla wants to be reachable from very old clients, to allow them to download a better browser. Therefore, we maintain SSLv3 compatibility on a limited number of sites. But all sites that do not need that level of compatibility are encouraged to implement the Intermediate configuration&lt;br /&gt;
&lt;br /&gt;
== Logjam attack on weak Diffie-Hellman ==&lt;br /&gt;
&lt;br /&gt;
The Logjam attack describes methods of attacking TLS servers supporting DHE export ciphers, and with weak (&amp;lt;= 1024 bit) Diffie Hellman groups. Modern TLS must use DH parameters of 2048 bits and above, or only use ECDHE. The modern configuration in this guide provide configurations that are not impacted by this issue. The intermediate and old configurations are impacted, and administrators are encourage to use DH parameters of 2048 bits wherever possible.&lt;br /&gt;
&lt;br /&gt;
more: https://weakdh.org&lt;br /&gt;
&lt;br /&gt;
== SPDY ==&lt;br /&gt;
&lt;br /&gt;
(see also http://en.wikipedia.org/wiki/SPDY and http://www.chromium.org/spdy/spdy-protocol)&lt;br /&gt;
&lt;br /&gt;
SPDY is a protocol that incorporate TLS, which attempts to reduce latency when loading pages. It is currently not an HTTP standard (albeit it is being drafted for HTTP 2.0), but is widely supported.&lt;br /&gt;
&lt;br /&gt;
SPDY version 3 is vulnerable to the CRIME attack (see also http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl) - this is due to the use of compression. Clients currently implement a non-standard hack in with gzip in order to circumvent the vulnerability. SPDY version 4 is planned to include a proper fix.&lt;br /&gt;
&lt;br /&gt;
== TLS tickets (RFC 5077) ==&lt;br /&gt;
&lt;br /&gt;
Once a TLS handshake has been negotiated between the server and the client, both may exchange a session ticket, which contains the session and is usually encrypted with AES-CBC 128bit. This AES key is generally static and only regenerated when the web server is restarted (with recent versions of Apache, it&#039;s stored in a file and also kept upon restarts).&lt;br /&gt;
&lt;br /&gt;
The key that encrypts TLS tickets in servers is very hard to manage and potentially introduces a security risk if not renewed regularly: if a server is breached, the key can be stolen and used to decrypt recorded TLS tickets, thus leaking session keys. TLS tickets do bring a performance benefit because of session resumption, but administrators that are more concerned about security than performance may want to disable them entirely. The trade-off we recommend is to implement restarts of web servers and force deletion of local caches to renew encryption keys.&lt;br /&gt;
&lt;br /&gt;
more information: https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-Slides.pdf&lt;br /&gt;
&lt;br /&gt;
== Cipher names correspondence table ==&lt;br /&gt;
IANA, OpenSSL and GnuTLS use different naming for the same ciphers. The table below matches these ciphers as well as their corresponding compatibility level.&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | Hex&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | Priority&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | IANA&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | GnuTLS&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | NSS&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; | OpenSSL&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2F&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 1&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2B&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 2&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x30&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2C&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9E&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 5&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA2&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 6&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA3&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 7&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9F&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 8&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x27&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 9&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x23&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 10&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x13&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 11&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x09&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 12&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x28&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 13&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x24&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold; text-align: center;&amp;quot; | 14&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #9EDB58; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x14&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 15&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0A&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 16&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x67&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 17&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x33&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 18&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x40&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 19&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6B&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 20&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x38&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 21&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x39&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 22&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | DHE-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x12&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 23&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-RSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x08&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 24&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | ECDHE-ECDSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x16&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 25&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9C&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 26&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9D&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 27&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3C&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 28&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3D&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 29&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2F&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 30&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x35&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 31&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6A&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 32&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x32&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 33&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0A&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold; text-align: center;&amp;quot; | 34&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | TLS_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #DBC158; font-weight: bold;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x88&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 35&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x87&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 36&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x84&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 37&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x45&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 38&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x44&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 39&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x41&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 40&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9A&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 41&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-RSA-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x99&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 42&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_DHE_DSS_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | DHE-DSS-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x96&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold; text-align: center;&amp;quot; | 43&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | TLS_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: #CCCCCC; font-weight: bold;&amp;quot; | SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_NULL_WITH_NULL_NULL&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_NULL_WITH_NULL_NULL&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_ARCFOUR_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x06&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x07&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x08&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x09&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x0F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x10&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x11&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x12&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x13&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x14&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x15&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x17&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x18&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_ARCFOUR_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x19&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_DES_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x1F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x20&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x21&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_IDEA_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x22&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_DES_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x23&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_3DES_EDE_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x24&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_RC4_128_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x25&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_WITH_IDEA_CBC_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x26&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x27&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x28&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC4_40_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x29&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_KRB5_EXPORT_WITH_RC4_40_MD5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x2E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x30&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x31&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x34&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x36&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x37&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x3F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x42&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x43&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x46&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x68&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x69&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x6D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x85&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x86&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x89&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x8F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x90&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x91&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x92&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x93&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x94&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x95&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x97&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x98&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0x9B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_SEED_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-SEED-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xAF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xB9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-DSS-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xBF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-DSS-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DH-RSA-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-DSS-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-RSA-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xC5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ADH-CAMELLIA256-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x00,0xFF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_EMPTY_RENEGOTIATION_INFO_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_EMPTY_RENEGOTIATION_INFO_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0x56,0x00&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_FALLBACK_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_FALLBACK_SCSV&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x01&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x02&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x03&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x04&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x05&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x06&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x07&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x0F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x10&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x11&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x15&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x16&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x17&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-DES-CBC3-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x18&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-AES128-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x19&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ANON_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_anon_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AECDH-AES256-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x1F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-AES-128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x20&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x21&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_RSA_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-RSA-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x22&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_SRP_SHA_DSS_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | SRP-DSS-AES-256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x25&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x26&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x29&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x2E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x31&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES128-GCM-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x32&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-AES256-GCM-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x33&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_RC4_128_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_ARCFOUR_128_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-RC4-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x34&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_3DES_EDE_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-3DES-EDE-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x35&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_128_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES128-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x36&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_256_CBC_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES256-CBC-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x37&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES128-CBC-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x38&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_AES_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-AES256-CBC-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x39&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_NULL_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-NULL-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x3F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x40&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x41&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x42&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x43&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x44&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x45&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x46&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x47&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x48&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x49&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x4F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x50&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x51&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x52&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x53&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x54&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x55&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x56&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x57&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x58&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x59&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x5F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x60&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x61&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x62&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x63&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x64&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x65&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x66&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x67&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x68&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x69&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x6F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x70&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x71&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x72&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x73&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x74&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x75&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-ECDSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x76&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x77&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-RSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x78&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x79&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDH-RSA-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x7F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x80&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x81&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_DSS_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x82&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x83&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x84&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x85&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DH_ANON_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x86&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x87&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x88&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x89&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_RSA_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x8F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x90&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x91&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x92&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_128_GCM_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x93&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_256_GCM_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x94&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x95&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x96&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x97&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x98&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x99&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | RSA-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9A&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CAMELLIA_128_CBC_SHA256&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CAMELLIA128-SHA256&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9B&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_PSK_CAMELLIA_256_CBC_SHA384&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-PSK-CAMELLIA256-SHA384&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9C&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9D&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9E&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-RSA-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0x9F&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-RSA-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA0&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA1&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_RSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA2&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-RSA-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA3&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_RSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-RSA-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA4&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA5&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA6&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA7&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xA9&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | PSK-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAA&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_DHE_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAB&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_PSK_DHE_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_DHE_PSK_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | DHE-PSK-AES256-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAC&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-AES128-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAD&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CCM&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-AES256-CCM&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAE&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_AES_128_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-AES128-CCM8&lt;br /&gt;
|-&lt;br /&gt;
! scope=row | 0xC0,0xAF&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; data-sort-value=&amp;quot;1000&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | TLS_ECDHE_ECDSA_AES_256_CCM_8&lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | &lt;br /&gt;
| style=&amp;quot;background-color: white;&amp;quot; | ECDHE-ECDSA-AES256-CCM8&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The table above was automatically generated via: [https://github.com/marumari/tls-table/blob/master/tls-table.py https://github.com/marumari/tls-table/blob/master/tls-table.py].&lt;br /&gt;
&lt;br /&gt;
Colors correspond to the [[#Modern_compatibility|&amp;lt;span style=&amp;quot;color: #008000; font-weight: bold;&amp;quot;&amp;gt;Modern&amp;lt;/span&amp;gt;]], [[#Intermediate_compatibility_.28default.29|&amp;lt;span style=&amp;quot;color: #FFA500; font-weight: bold;&amp;quot;&amp;gt;Intermediate&amp;lt;/span&amp;gt;]], and [[#Old_backward_compatibility|&amp;lt;span style=&amp;quot;color: #808080; font-weight: bold;&amp;quot;&amp;gt;Old&amp;lt;/span&amp;gt;]] compatibility levels. Each compatibility level is a superset of the more modern levels above it.&lt;br /&gt;
&lt;br /&gt;
== GnuTLS ciphersuite ==&lt;br /&gt;
&lt;br /&gt;
Unlike OpenSSL, GnuTLS will panic if you give it ciphers aren&#039;t supported by the library. That makes it very difficult to share a default ciphersuite to use in GnuTLS. The next best thing is using the following ciphersuite, and removing the components that break on your own version:&lt;br /&gt;
&lt;br /&gt;
&#039;&#039;&#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
A ciphersuite can be tested in GnuTLS using &#039;&#039;&#039;gnutls-cli&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --version&lt;br /&gt;
gnutls-cli 3.1.26&lt;br /&gt;
&lt;br /&gt;
$ gnutls-cli -l --priority NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULLCipher suites for NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_GCM_SHA256                    0xc0, 0x2f  TLS1.2&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA256                    0xc0, 0x27  TLS1.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_128_CBC_SHA1                      0xc0, 0x13  SSL3.0&lt;br /&gt;
TLS_ECDHE_RSA_AES_256_CBC_SHA1                      0xc0, 0x14  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_GCM_SHA256                      0x00, 0x9e  TLS1.2&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA256                      0x00, 0x67  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_128_CBC_SHA1                        0x00, 0x33  SSL3.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA256                      0x00, 0x6b  TLS1.0&lt;br /&gt;
TLS_DHE_RSA_AES_256_CBC_SHA1                        0x00, 0x39  SSL3.0&lt;br /&gt;
TLS_RSA_AES_128_GCM_SHA256                          0x00, 0x9c  TLS1.2&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA256                          0x00, 0x3c  TLS1.0&lt;br /&gt;
TLS_RSA_AES_128_CBC_SHA1                            0x00, 0x2f  SSL3.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA256                          0x00, 0x3d  TLS1.0&lt;br /&gt;
TLS_RSA_AES_256_CBC_SHA1                            0x00, 0x35  SSL3.0&lt;br /&gt;
&lt;br /&gt;
Certificate types: none&lt;br /&gt;
Protocols: VERS-TLS1.2, VERS-TLS1.1, VERS-TLS1.0&lt;br /&gt;
Compression: COMP-NULL&lt;br /&gt;
Elliptic curves: CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1&lt;br /&gt;
PK-signatures: SIGN-RSA-SHA256, SIGN-RSA-SHA384, SIGN-RSA-SHA512, SIGN-RSA-SHA224, SIGN-RSA-SHA1, SIGN-DSA-SHA256, SIGN-DSA-SHA224, SIGN-DSA-SHA1&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
A good way to debug the ciphersuite is by performing a test connection. If the ciphersuite isn&#039;t supported, gnutls-cli will stop reading it at the component that is causing the issue.&lt;br /&gt;
&amp;lt;source code=bash&amp;gt;&lt;br /&gt;
$ gnutls-cli --debug 9999 google.com --priority &#039;NONE:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0:+ECDHE-RSA:+DHE-RSA:+RSA:+AES-128-GCM:+AES-128-CBC:+AES-256-CBC:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+CURVE-ALL:+AEAD:+SHA256:+SHA384:+SHA1:+COMP-NULL&#039;&lt;br /&gt;
|&amp;lt;2&amp;gt;| ASSERT: gnutls_priority.c:812&lt;br /&gt;
Syntax error at: +SIGN-RSA-SHA224:+SIGN-RSA-SHA1:+SIGN-DSA-SHA256:+SIGN-DSA-SHA224:+SIGN-DSA-SHA1:+SHA256:+SHA384:+SHA1:+COMP-NULL&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
In the example above, the component SIGN-RSA-SHA224 is not supported by this version of gnutls and should be removed from the ciphersuite.&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Version&lt;br /&gt;
! Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Clarify Logjam notes, Clarify risk of TLS Tickets&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Recommend ECDSA in modern level, remove DSS ciphers, publish configurations as JSON&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.8&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| redo cipher names chart (April King), move version chart (April King), update Intermediate cipher suite (ulfr)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.7&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| cleanup version table (April King), add F5 conf samples (warburtron), add notes about DHE (rgacogne)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.6&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| bump intermediate DHE to 2048, add note about java compatibility&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | alm&lt;br /&gt;
| comment on weakdh vulnerability&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added note about session resumption, HSTS, and HPKP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| fix SHA256 prio, add POODLE details, update various templates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added intermediate compatibility mode, renamed other modes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added non-backward compatible ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Remove RC4 for 3DES, fix ordering in openssl 0.9.8 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1024430 1024430]), various minor updates&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Revisit ELB capabilities&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Update ZLB information for OCSP Stapling and ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Moved a couple of aes128 above aes256 in the ciphersuite&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Precisions on IE 7/8 AES support (thanks to Dobin Rutishauser)&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| Added IANA/OpenSSL/GnuTLS correspondence table and conversion tool&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| RC4 vs 3DES discussion. r=joes r=tinfoil&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| Public release.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.5&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| added details for PFS DHE handshake, added nginx configuration details; added Apache recommended conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.4&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| revised ciphersuite. Prefer AES before RC4. Prefer 128 before 256. Prefer DHE before non-DHE.&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.3&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| added netscaler example conf&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.2&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| ciphersuite update, bump DHE-AESGCM above ECDH-RC4&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.1&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent, kang&lt;br /&gt;
| integrated review comments from Infra; SPDY information&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1.0&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | Julien Vehent&lt;br /&gt;
| creation&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;3&amp;quot; | &amp;amp;nbsp;&lt;br /&gt;
|-&lt;br /&gt;
| colspan=&amp;quot;2&amp;quot; style=&amp;quot;border-right: none;&amp;quot; | &#039;&#039;&#039;Document Status:&#039;&#039;&#039;&lt;br /&gt;
| style=&amp;quot;border-left: none; color:green; text-align: center;&amp;quot; | &#039;&#039;&#039;READY&#039;&#039;&#039;&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1156101</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1156101"/>
		<updated>2016-11-29T23:12:26Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;lt;nowiki&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/nowiki&amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image.jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Disable referrers for browsers that don&#039;t support strict-origin-when-cross-origin&lt;br /&gt;
# Uses strict-origin-when-cross-origin for browsers that do&lt;br /&gt;
Referrer-Policy: no-referrer, strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;no-referrer, strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;no-referrer, strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed with X-Frame-Options and CSP&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039;&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow only framer.mozilla.org to frame site&lt;br /&gt;
# Note that this blocks framing from browsers that don&#039;t support CSP2+&lt;br /&gt;
Content-Security-Policy: frame-ancestors https://framer.mozilla.org&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on &#039;frame-ancestors&#039;]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | November, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy, tidied up XFO examples&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1155674</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1155674"/>
		<updated>2016-11-23T17:38:48Z</updated>

		<summary type="html">&lt;p&gt;Apking: more tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;lt;nowiki&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/nowiki&amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image.jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Disable referrers for browsers that don&#039;t support strict-origin-when-cross-origin&lt;br /&gt;
# Uses strict-origin-when-cross-origin for browsers that do&lt;br /&gt;
Referrer-Policy: no-referrer, strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;no-referrer, strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;no-referrer, strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed with X-Frame-Options and CSP&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039;&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow only framer.mozilla.org to frame site&lt;br /&gt;
# Note that this blocks framing from browsers that don&#039;t support CSP2+&lt;br /&gt;
Content-Security-Policy: frame-ancestors https://framer.mozilla.org&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on &#039;frame-ancestors&#039;]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | November, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy, tidied up XFO examples&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1155673</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1155673"/>
		<updated>2016-11-23T17:36:29Z</updated>

		<summary type="html">&lt;p&gt;Apking: tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;lt;nowiki&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/nowiki&amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image.jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Disable referrers for browsers that don&#039;t support strict-origin-when-cross-origin; uses&lt;br /&gt;
# strict-origin-when-cross-origin for browsers that do&lt;br /&gt;
Referrer-Policy: no-referrer, strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed with X-Frame-Options and CSP&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039;&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow only framer.mozilla.org to frame site&lt;br /&gt;
# Note that this blocks framing from browsers that don&#039;t support CSP2+&lt;br /&gt;
Content-Security-Policy: frame-ancestors https://framer.mozilla.org&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on &#039;frame-ancestors&#039;]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | November, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy, tidied up XFO examples&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1154686</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1154686"/>
		<updated>2016-11-14T22:54:53Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;lt;nowiki&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/nowiki&amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image.jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | November, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1154678</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1154678"/>
		<updated>2016-11-14T22:17:08Z</updated>

		<summary type="html">&lt;p&gt;Apking: tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | November, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152951</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152951"/>
		<updated>2016-10-27T23:42:00Z</updated>

		<summary type="html">&lt;p&gt;Apking: rewording&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents the leaking of internal URLs via &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.&lt;br /&gt;
&lt;br /&gt;
In normal operation, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. To limit the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header entirely, or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header&lt;br /&gt;
* &amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
* &amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the directives above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152950</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152950"/>
		<updated>2016-10-27T23:34:54Z</updated>

		<summary type="html">&lt;p&gt;Apking: formatting&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents leaking of internal URLs via Referer&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy is an HTTP header and &amp;amp;lt;meta&amp;amp;gt; tag that allows sites to have fine-grained control over how browsers use the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.  For example, if a page at https://example.com/page.html contains &amp;lt;tt&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the Referrer header&lt;br /&gt;
&amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. &amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the options above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152949</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152949"/>
		<updated>2016-10-27T23:33:57Z</updated>

		<summary type="html">&lt;p&gt;Apking: formatting&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents leaking of internal URLs via Referer&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy is an HTTP header and &amp;amp;lt;meta&amp;amp;gt; tag that allows sites to have fine-grained control over how browsers use the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.  For example, if a page at https://example.com/page.html contains this file &amp;lt;tt&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&lt;br /&gt;
&lt;br /&gt;
To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the Referrer header&lt;br /&gt;
&amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. &amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the options above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152948</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152948"/>
		<updated>2016-10-27T23:33:12Z</updated>

		<summary type="html">&lt;p&gt;Apking: rough draft&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents leaking of internal URLs via Referer&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 15&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy is an HTTP header and &amp;amp;lt;meta&amp;amp;gt; tag that allows sites to have fine-grained control over how browsers use the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.  For example, if a page at https://example.com/page.html contains this file &amp;lt;pre&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&lt;br /&gt;
&lt;br /&gt;
To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the Referrer header&lt;br /&gt;
&amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. &amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the options above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152947</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1152947"/>
		<updated>2016-10-27T23:31:17Z</updated>

		<summary type="html">&lt;p&gt;Apking: aoeu&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents leaking of internal URLs via Referer&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy is an HTTP header and &amp;amp;lt;meta&amp;amp;gt; tag that allows sites to have fine-grained control over how browsers use the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.  For example, if a page at https://example.com/page.html contains this file &amp;lt;pre&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&lt;br /&gt;
&lt;br /&gt;
To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the Referrer header&lt;br /&gt;
&amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. &amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the options above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1152946</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1152946"/>
		<updated>2016-10-27T23:30:28Z</updated>

		<summary type="html">&lt;p&gt;Apking: Reverted edits by Apking (talk) to last revision by Gdestuynder&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1152945</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1152945"/>
		<updated>2016-10-27T23:30:03Z</updated>

		<summary type="html">&lt;p&gt;Apking: aoeu&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Referrer Policy|8 Referrer Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|9 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|10 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|11 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|12 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|13 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|14 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#Referrer Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Referrer Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Improves privacy for users, prevents leaking of internal URLs via Referer&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It is recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;object-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else except plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,&lt;br /&gt;
# and images from same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site that uses too much inline code to fix&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Referrer Policy =&lt;br /&gt;
&lt;br /&gt;
When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy is an HTTP header and &amp;amp;lt;meta&amp;amp;gt; tag that allows sites to have fine-grained control over how browsers use the HTTP &amp;lt;tt&amp;gt;Referer&amp;lt;/tt&amp;gt; header.  For example, if a page at https://example.com/page.html contains this file &amp;lt;pre&amp;gt;&amp;amp;lt;img src=&amp;quot;https://not.example.com/image.jpg&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt;, then the browser will send a request like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;GET /image/jpg HTTP/1.1&lt;br /&gt;
Host: not.example.com&lt;br /&gt;
Referer: https://example.com/page.html&lt;br /&gt;
&lt;br /&gt;
To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt;: never send the Referrer header&lt;br /&gt;
&amp;lt;tt&amp;gt;same-origin&amp;lt;/tt&amp;gt;: send referrer, but only on requests to the same origin&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin&amp;lt;/tt&amp;gt;: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)&lt;br /&gt;
&amp;lt;tt&amp;gt;strict-origin-when-cross-origin&amp;lt;/tt&amp;gt;: send full referrer on same origin, URL sans path on foreign origin&lt;br /&gt;
&lt;br /&gt;
== Notes ==&lt;br /&gt;
&lt;br /&gt;
There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. &amp;lt;tt&amp;gt;no-referrer-when-downgrade&amp;lt;/tt&amp;gt; is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.&lt;br /&gt;
&lt;br /&gt;
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports &amp;lt;tt&amp;gt;no-referrer&amp;lt;/tt&amp;gt; from the options above, and Firefox awaits full support with Firefox 52.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# On example.com, only send the Referer header when loading or linking to other example.com resources&lt;br /&gt;
Referrer-Policy: same-origin&lt;br /&gt;
&lt;br /&gt;
# Only send the shortened referrer to a foreign origin, full referrer to a local host&lt;br /&gt;
Referrer-Policy: strict-origin-when-cross-origin&lt;br /&gt;
&lt;br /&gt;
# Do the same, but with a meta tag&lt;br /&gt;
&amp;amp;lt;meta http-equiv=&amp;quot;Referrer-Policy&amp;quot; content=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&lt;br /&gt;
&lt;br /&gt;
# Do the same, but only for a single link&lt;br /&gt;
&amp;amp;lt;a href=&amp;quot;https://mozilla.org/&amp;quot; referrerpolicy=&amp;quot;strict-origin-when-cross-origin&amp;quot;&amp;amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Added Referrer Policy&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Talk:Security/Guidelines/Web_Security&amp;diff=1152714</id>
		<title>Talk:Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Talk:Security/Guidelines/Web_Security&amp;diff=1152714"/>
		<updated>2016-10-26T18:32:17Z</updated>

		<summary type="html">&lt;p&gt;Apking: banner on the top for kang&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;div style=&amp;quot;background-color: lightskyblue; border: solid 1px black; font-size: 1.25em; font-weight: 600; margin-bottom: 4em; padding: 1em; text-align: center;&amp;quot;&amp;gt;Please take all discussions of issues with these guidelines to our [https://github.com/mozilla/wikimo_content/issues GitHub page].  Thank you!&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== About Contribute.json == &lt;br /&gt;
&lt;br /&gt;
The contribute.json is a good idea. The recommendation for linking to it less so. The current text says:&lt;br /&gt;
&lt;br /&gt;
:contribute.json is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute. contribute.json is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
This is cluttering the root space of Web sites. By doing this, we basically capture the URI such as http://example.com/contribute.json and makes it impossible to other projects to use this URI for another semantics. This is called the Well-Known URIs issue. But there are ways to be a good citizen of the Web, by promoting the good practice.&lt;br /&gt;
&lt;br /&gt;
A RFC has been written to mitigate the issue: [https://tools.ietf.org/html/rfc5785 Defining Well-Known Uniform Resource Identifiers (URIs)].&lt;br /&gt;
&lt;br /&gt;
    /.well-known/contribute.json&lt;br /&gt;
&lt;br /&gt;
This comes with an additional constraint:&lt;br /&gt;
&lt;br /&gt;
:Well-known URIs are registered on the advice of one or more&lt;br /&gt;
:Designated Experts (appointed by the IESG or their delegate), with a&lt;br /&gt;
:Specification Required (using terminology from [RFC5226]).  However,&lt;br /&gt;
:to allow for the allocation of values prior to publication, the&lt;br /&gt;
:Designated Expert(s) may approve registration once they are satisfied&lt;br /&gt;
:that such a specification will be published.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
I would be happy to help write the spec for it. &lt;br /&gt;
&lt;br /&gt;
The other solution is to use instead the [https://tools.ietf.org/html/rfc5988 Link pattern]&lt;br /&gt;
&lt;br /&gt;
    Link: &amp;lt;/somewhere/contribute.json&amp;gt;; rel=&amp;quot;contribute&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The same way the [https://tools.ietf.org/html/rfc5988#section-6.2.1 value &amp;quot;contribute&amp;quot; would have to be defined]. &lt;br /&gt;
&lt;br /&gt;
[[User:Karlcow|Karlcow]] ([[User talk:Karlcow|talk]])&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
Karlcow -- there&#039;s already a GitHub issue open for this:&lt;br /&gt;
https://github.com/mozilla/contribute.json/issues/30&lt;br /&gt;
&lt;br /&gt;
Once it gets included as a well-known URI, I will change my recommendation to move it to /.well-known/contribute.json.  :)  [[User:Apking|Apking]] ([[User talk:Apking|talk]])&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Talk:Security/Guidelines/Web_Security&amp;diff=1152711</id>
		<title>Talk:Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Talk:Security/Guidelines/Web_Security&amp;diff=1152711"/>
		<updated>2016-10-26T17:54:50Z</updated>

		<summary type="html">&lt;p&gt;Apking: (signing)&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== About Contribute.json == &lt;br /&gt;
&lt;br /&gt;
The contribute.json is a good idea. The recommendation for linking to it less so. The current text says:&lt;br /&gt;
&lt;br /&gt;
:contribute.json is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute. contribute.json is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
This is cluttering the root space of Web sites. By doing this, we basically capture the URI such as http://example.com/contribute.json and makes it impossible to other projects to use this URI for another semantics. This is called the Well-Known URIs issue. But there are ways to be a good citizen of the Web, by promoting the good practice.&lt;br /&gt;
&lt;br /&gt;
A RFC has been written to mitigate the issue: [https://tools.ietf.org/html/rfc5785 Defining Well-Known Uniform Resource Identifiers (URIs)].&lt;br /&gt;
&lt;br /&gt;
    /.well-known/contribute.json&lt;br /&gt;
&lt;br /&gt;
This comes with an additional constraint:&lt;br /&gt;
&lt;br /&gt;
:Well-known URIs are registered on the advice of one or more&lt;br /&gt;
:Designated Experts (appointed by the IESG or their delegate), with a&lt;br /&gt;
:Specification Required (using terminology from [RFC5226]).  However,&lt;br /&gt;
:to allow for the allocation of values prior to publication, the&lt;br /&gt;
:Designated Expert(s) may approve registration once they are satisfied&lt;br /&gt;
:that such a specification will be published.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
I would be happy to help write the spec for it. &lt;br /&gt;
&lt;br /&gt;
The other solution is to use instead the [https://tools.ietf.org/html/rfc5988 Link pattern]&lt;br /&gt;
&lt;br /&gt;
    Link: &amp;lt;/somewhere/contribute.json&amp;gt;; rel=&amp;quot;contribute&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The same way the [https://tools.ietf.org/html/rfc5988#section-6.2.1 value &amp;quot;contribute&amp;quot; would have to be defined]. &lt;br /&gt;
&lt;br /&gt;
[[User:Karlcow|Karlcow]] ([[User talk:Karlcow|talk]])&lt;br /&gt;
&lt;br /&gt;
---&lt;br /&gt;
&lt;br /&gt;
Karlcow -- there&#039;s already a GitHub issue open for this:&lt;br /&gt;
https://github.com/mozilla/contribute.json/issues/30&lt;br /&gt;
&lt;br /&gt;
Once it gets included as a well-known URI, I will change my recommendation to move it to /.well-known/contribute.json.  :)  [[User:Apking|Apking]] ([[User talk:Apking|talk]])&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Talk:Security/Guidelines/Web_Security&amp;diff=1152710</id>
		<title>Talk:Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Talk:Security/Guidelines/Web_Security&amp;diff=1152710"/>
		<updated>2016-10-26T17:53:58Z</updated>

		<summary type="html">&lt;p&gt;Apking: Re: Karlcow&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;== About Contribute.json == &lt;br /&gt;
&lt;br /&gt;
The contribute.json is a good idea. The recommendation for linking to it less so. The current text says:&lt;br /&gt;
&lt;br /&gt;
:contribute.json is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute. contribute.json is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
This is cluttering the root space of Web sites. By doing this, we basically capture the URI such as http://example.com/contribute.json and makes it impossible to other projects to use this URI for another semantics. This is called the Well-Known URIs issue. But there are ways to be a good citizen of the Web, by promoting the good practice.&lt;br /&gt;
&lt;br /&gt;
A RFC has been written to mitigate the issue: [https://tools.ietf.org/html/rfc5785 Defining Well-Known Uniform Resource Identifiers (URIs)].&lt;br /&gt;
&lt;br /&gt;
    /.well-known/contribute.json&lt;br /&gt;
&lt;br /&gt;
This comes with an additional constraint:&lt;br /&gt;
&lt;br /&gt;
:Well-known URIs are registered on the advice of one or more&lt;br /&gt;
:Designated Experts (appointed by the IESG or their delegate), with a&lt;br /&gt;
:Specification Required (using terminology from [RFC5226]).  However,&lt;br /&gt;
:to allow for the allocation of values prior to publication, the&lt;br /&gt;
:Designated Expert(s) may approve registration once they are satisfied&lt;br /&gt;
:that such a specification will be published.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
I would be happy to help write the spec for it. &lt;br /&gt;
&lt;br /&gt;
The other solution is to use instead the [https://tools.ietf.org/html/rfc5988 Link pattern]&lt;br /&gt;
&lt;br /&gt;
    Link: &amp;lt;/somewhere/contribute.json&amp;gt;; rel=&amp;quot;contribute&amp;quot;&lt;br /&gt;
&lt;br /&gt;
The same way the [https://tools.ietf.org/html/rfc5988#section-6.2.1 value &amp;quot;contribute&amp;quot; would have to be defined]. &lt;br /&gt;
&lt;br /&gt;
[[User:Karlcow|Karlcow]] ([[User talk:Karlcow|talk]])&lt;br /&gt;
&lt;br /&gt;
Karlcow -- there&#039;s already a GitHub issue open for this:&lt;br /&gt;
https://github.com/mozilla/contribute.json/issues/30&lt;br /&gt;
&lt;br /&gt;
Once it gets included as a well-known URI, I will change my recommendation to move it to /.well-known/contribute.json.  :)&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1151258</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1151258"/>
		<updated>2016-10-13T15:15:07Z</updated>

		<summary type="html">&lt;p&gt;Apking: updates to CSP&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* It recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these as unsafe inside &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; (or inherited from &amp;lt;tt&amp;gt;default-src&amp;lt;/tt&amp;gt;).&lt;br /&gt;
* Similarly, the use of &amp;lt;tt&amp;gt;script-src &#039;self&#039;&amp;lt;/tt&amp;gt; can be unsafe for sites with JSONP endpoints. These sites should use a &amp;lt;tt&amp;gt;script-src&amp;lt;/tt&amp;gt; that includes the path to their JavaScript source folder(s).&lt;br /&gt;
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with &amp;lt;tt&amp;gt;object-src &#039;none&#039;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https&lt;br /&gt;
# Note that this does not provide any XSS protection&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else plugin execution&lt;br /&gt;
Content-Security-Policy: default-src *; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur&lt;br /&gt;
# Also disables the execution of plugins&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load scripts and stylesheets from same origin, fonts from google, and images from&lt;br /&gt;
# same origin and imgur. Sites should aim for policies like this.&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; font-src &#039;https://fonts.googleapis.com&#039;;&lt;br /&gt;
                             img-src &#039;self&#039; https://i.imgur.com; object-src &#039;none&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix,&lt;br /&gt;
# but wants to ensure resources are loaded only over https and disable plugins&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;; object-src &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-contacts&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent browsers from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | October, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP recommendations&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Risk_management/Rapid_Risk_Assessment&amp;diff=1140114</id>
		<title>Security/Risk management/Rapid Risk Assessment</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Risk_management/Rapid_Risk_Assessment&amp;diff=1140114"/>
		<updated>2016-07-18T16:17:35Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; padding-left: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&lt;br /&gt;
&#039;&#039;&#039;RRA Version supported: 2.5.x&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
Any team uses a risk based methodology when making any decision.&lt;br /&gt;
The Rapid Risk Assessment or Rapid Risk Analysis (RRA) methodology helps formalize these decisions and ensures that they&#039;re&lt;br /&gt;
reproducible, consistent and easy to communicate.&lt;br /&gt;
&lt;br /&gt;
This document assumes that the reader is familiar with risk definitions, and the Mozilla risk levels from the&lt;br /&gt;
[[Security/Risk management|Risk Management]] documentation (i.e. read it first).&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security Team (Infosec) maintains this document as a reference guide for security engineers&lt;br /&gt;
and anyone interested in following our risk management processes.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec/ source repository on github].&lt;br /&gt;
Changes are detailed in the [https://github.com/mozilla/wikimo_opsec/commits/master commit history].&lt;br /&gt;
&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; padding-top: 3em;&amp;quot;&amp;gt;[[File:OpSec.png|300px]]&amp;lt;/span&amp;gt;&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Rapid Risk Assessment =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:red;&amp;quot;&amp;gt;&#039;&#039;&#039;WARNING&#039;&#039;&#039;&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
A typical Rapid Risk Analysis/Assessment (RRA) lasts about 30 minutes.&lt;br /&gt;
It is not a security review or a full threat-model, peneration test, review, etc. These may however follow an RRA.&lt;br /&gt;
&lt;br /&gt;
The objective of the RRA is to understand the value and impact of a service on a business, project, company - it does not&lt;br /&gt;
focus on quantifying and analyzing security controls.&lt;br /&gt;
&#039;&#039;&#039;The RRA process analyze and assess services&#039;&#039;&#039;. Analyzing processes, or individual pieces of data is not recommended through the RRA process.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== Preamble ==&lt;br /&gt;
&lt;br /&gt;
Data is the most important item in risk management. Software, websites, infrastructure, networks and people handle, process, exchange and store data.&lt;br /&gt;
&lt;br /&gt;
The RRA focuses efforts on creating a summary of the risks associated with our data. In particular it aims to be:&lt;br /&gt;
&lt;br /&gt;
* &#039;&#039;&#039;Quick!&#039;&#039;&#039; About 30 minutes to 60 minutes maximum.&lt;br /&gt;
* &#039;&#039;&#039;Very high-level&#039;&#039;&#039;. Details are for complete threat models.&lt;br /&gt;
* &#039;&#039;&#039;Concise, readable&#039;&#039;&#039;. Short table with clear risk levels.&lt;br /&gt;
* &#039;&#039;&#039;Easy to update&#039;&#039;&#039;. Can be run during the architecture phase, and re-run if the project is re-architected or new high level design decisions are made.&lt;br /&gt;
* &#039;&#039;&#039;Informative&#039;&#039;&#039; It collects risk impact, an approximate impact likelihood and data dictionary.&lt;br /&gt;
&lt;br /&gt;
This helps to make the following type of risk-based decisions:&lt;br /&gt;
&lt;br /&gt;
* Is the security provided by a given platform appropriate to host a specific type of data?&lt;br /&gt;
* How much should we care about maintenance, etc?&lt;br /&gt;
* Does this service warrant a full security threat-model, peneration test, privacy review?&lt;br /&gt;
* How long should we spend on these tasks?&lt;br /&gt;
* Is there anything obvious I should really look at fixing right now?&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;Sample use case&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
Firefox accounts store user data:&lt;br /&gt;
&lt;br /&gt;
* What happens if that data is exposed to the world? What happens if the systems go down? What happens if that data is disclosed? What if the data is modified?&lt;br /&gt;
* Are we at financial, operational risk? Is our reputation also at risk?&lt;br /&gt;
* What kind of data does Firefox accounts exactly handle? How sensitive is the primary kind of data used by Firefox accounts?&lt;br /&gt;
&lt;br /&gt;
The RRA table facilitate the answer to these questions.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== When to run RRAs? ==&lt;br /&gt;
&lt;br /&gt;
RRAs are designed to be updated and re-runnable as needed. That being said, it is recommended to run the first RRA&lt;br /&gt;
during the design or architecture phase of new services, when an initial data flow diagram for the service has been created.&lt;br /&gt;
&lt;br /&gt;
== What to run through RRAs? ==&lt;br /&gt;
&lt;br /&gt;
RRAs can only be used for services. Any project belongs to or provides a service. Any component, piece of code or data&lt;br /&gt;
belongs to a service. Find which service it belongs to and RRA that service, not the specific piece of code or data.&lt;br /&gt;
&lt;br /&gt;
Large services should be split into multiple smaller services or sub-services that handle a specific type of data and&lt;br /&gt;
expose a limited set of features. This choice has to be made by the security engineer running the RRA. If the&lt;br /&gt;
sub-services belong to different teams, it is a strong indicator that multiple RRAs should be run.&lt;br /&gt;
&lt;br /&gt;
Large services that cannot be split up not only lead to a complex assessment, but also may indicate that the service&lt;br /&gt;
itself needs to be re-designed in a more secure fashion.&lt;br /&gt;
&lt;br /&gt;
Representing the risk of a large set of services that are tied together can be done outside the RRA by looking at the&lt;br /&gt;
linked services field of the RRA.&lt;br /&gt;
&lt;br /&gt;
== What to focus on during RRAs? ==&lt;br /&gt;
&lt;br /&gt;
* &#039;&#039;&#039;Impact assessment&#039;&#039;&#039;. The RRA is the authority for impact levels and these are paramount.&lt;br /&gt;
* &#039;&#039;&#039;Rationales&#039;&#039;&#039;. Anyone should understand why you&#039;ve set a specific impact level by reading &lt;br /&gt;
* Getting &#039;&#039;&#039;value for the team&#039;&#039;&#039;. The team needs to understand what is most important to protect.&lt;br /&gt;
&lt;br /&gt;
What to &#039;&#039;&#039;NOT&#039;&#039;&#039; focus on:&lt;br /&gt;
* Gathering security controls, figuring out how effective they are, etc. Don&#039;t do that! This information may be recorded if it comes up but do not focus on it.&lt;br /&gt;
* Likelihood, Security provided by service. Don&#039;t spent much time there! These are &amp;quot;10,000 foot approximations&amp;quot; and part of a larger risk calculation mechanism.&lt;br /&gt;
&lt;br /&gt;
== Guided process: Running your RRA in ~30 minutes ==&lt;br /&gt;
&lt;br /&gt;
This is a guided example of how to run an RRA.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;Time management and control&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
You will be responsible for the time distribution and ensure 30 minutes are not exceeded if possible.&lt;br /&gt;
&lt;br /&gt;
You will sometimes have to cut a discussion short and be assertive.&lt;br /&gt;
We have a tendency to jump directly to discussing security controls during risk discussions. While valuable, this&lt;br /&gt;
is not the purpose of the RRA, and controls can be better discussed once the impacts have been clearly defined.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* The discussion languishes (&amp;gt;1 minute) around &amp;quot;how to mitigate this very issue&amp;quot; or &amp;quot;we&#039;re doing X to ensure this never happens&amp;quot;.&lt;br /&gt;
* The discussion focuses on process instead of filling the form.&lt;br /&gt;
* The discussion about how the service works takes forever (&amp;gt;15 minutes) and the owner has to lookup every single detail.&lt;br /&gt;
&lt;br /&gt;
A good tip is to &#039;&#039;&#039;reserve 50-60 minutes&#039;&#039;&#039; of RRA time in the calendar, and plan to run the RRA for only &#039;&#039;&#039;30&lt;br /&gt;
minutes&#039;&#039;&#039;.&lt;br /&gt;
This leaves you with some room for error, and handle services that weren&#039;t well understood by their owners.&lt;br /&gt;
In any case, always watch your clock!&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Getting started (pre-work) ===&lt;br /&gt;
&lt;br /&gt;
* Ensure no previous RRA exist, else re-use the previous RRA.&lt;br /&gt;
* Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you&#039;re testing the RRA process).&lt;br /&gt;
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data&lt;br /&gt;
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 people total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 people total).&lt;br /&gt;
Make sure everyone invited has &#039;&#039;&#039;edit&#039;&#039;&#039; rights to the document, and has the document opened in front of them when the&lt;br /&gt;
RRA starts.&lt;br /&gt;
* If this is anyone&#039;s first RRA, ensure they understand what risk impacts are, and the standard risk levels we are using, as well as giving them a short overview of what is going to happen:&lt;br /&gt;
** Filling in header/meta-data information about the service.&lt;br /&gt;
** Getting an idea of how the service is architected.&lt;br /&gt;
** Recording all data the service may process/store and how sensitive it is.&lt;br /&gt;
** Running through the risk table and figuring out what happens if the data is leaked, modified, unavailable, etc - while assigning the standard risk levels.&lt;br /&gt;
** Writing down any recommendations for the service.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:red;&amp;quot;&amp;gt;First time?&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
If this is your first RRA, ensure that someone who has run RRAs previously is present to help you.&lt;br /&gt;
It is good to have attended multiple RRAs before starting your own.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Header (5 minutes) ===&lt;br /&gt;
&lt;br /&gt;
The header has to be filled in first and foremost.&lt;br /&gt;
&lt;br /&gt;
* Fill in the service name. It may be the product or generic service name, or even better, both. Try to keep it short and simple.&lt;br /&gt;
* Fill in the description of the service. In order to do that, ask the team to give you a short, one sentence, few words quick description of what this service does, how it does it.&lt;br /&gt;
* Fill in the scope if you know it. Sometimes the scope is clearer at the end of the RRA.&lt;br /&gt;
** If the scope is obvious (its the whole service) it is OK to leave it blank.&lt;br /&gt;
** In some cases the scope is critical to the understanding of the RRA.&lt;br /&gt;
* If you know of linked services (for example if it uses SAML authentication, the linked service could be &amp;quot;SAML SSO&amp;quot;)&lt;br /&gt;
* Ask the team who owns the service (for example the team that makes decisions if the service must go down), who develops the code and who&#039;s operating it.&lt;br /&gt;
** Generally its a team name and one or more names. Sometimes, it&#039;s a third party (SaaS).&lt;br /&gt;
** You never want to leave the service owner blank, and you always want a Mozilla contact as service owner.&lt;br /&gt;
** You always want at least a team name, as people change teams, etc. A team name and a responsible person name is ideal.&lt;br /&gt;
* Other fields will be automatically filled in or filled in at a later time.&lt;br /&gt;
&lt;br /&gt;
=== General notes (5-10 minutes) ===&lt;br /&gt;
&lt;br /&gt;
In this phase you want to gain a good understanding of the service:&lt;br /&gt;
&lt;br /&gt;
* Where is it running? On which platforms?&lt;br /&gt;
* What is it running, what kind of software or technologies?&lt;br /&gt;
* How is it structured, architected? Do you have your data flow diagram?&lt;br /&gt;
* Do you have some documentation links?&lt;br /&gt;
* Any URLs to access the service?&lt;br /&gt;
* How is administration performed?&lt;br /&gt;
* How is authorization (login) performed?&lt;br /&gt;
* What is logged, where?&lt;br /&gt;
&lt;br /&gt;
Anything of interest may go in the RRA general notes. This can be used during the description  of the service as well if you hear interesting details that did not fit in the description.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:red;&amp;quot;&amp;gt;WARNING&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
At the end of this exercise, you want to be able to reformulate how the service works, with your own words, and have the&lt;br /&gt;
RRA participants tell you if that understanding is correct. This step is crucial.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Data Dictionary (5-10 minutes) ===&lt;br /&gt;
&lt;br /&gt;
We want an exhaustive list of data types. While some types may be sometimes missing as this is a best-effort type discussion, it is important to ensure we&#039;re missing as little as possible.&lt;br /&gt;
&lt;br /&gt;
* Ask the team to help you list which data is handled by the application, such as:&lt;br /&gt;
** Specific configuration data (on disk or in RAM).&lt;br /&gt;
** Credentials used by the applications (keys, logins, etc.).&lt;br /&gt;
** Software source code/scripts (such as if the code is stored on a Git repository, downloaded and ran by the service).&lt;br /&gt;
** Ask again and specify you want to make sure they&#039;ve listed all sensitive data they can think of.&lt;br /&gt;
* Set the data classification for each data type in the dictionary, such as &amp;quot;PUBLIC&amp;quot;, &amp;quot;STAFF&amp;quot;, etc. Mozilla uses standard classification levels.&lt;br /&gt;
* If some compensating controls are mentioned or there are more details about the data you can fill them in as well.&lt;br /&gt;
** For example &amp;quot;User attributes, classified INTERNAL, protected by LDAP authentication, used to find out the user&#039;s t-shirt size&amp;quot;.&lt;br /&gt;
* Based on this dictionary/catalog of data, figure out which is the main data classification the service is handling. If unsure, ask the team.&lt;br /&gt;
** For example &amp;quot;mock is mainly used to serve package files that are PUBLIC.&amp;quot; (public main data classification).&lt;br /&gt;
** Set this in the header section at the top of the RRA template.&lt;br /&gt;
&lt;br /&gt;
=== RRA Risk table (5-10 minutes) ===&lt;br /&gt;
&lt;br /&gt;
This is where the risk impact assessment is done, and where the probability for these impacts is roughly estimated.&lt;br /&gt;
The risk impact is using &#039;&#039;probable impact&#039;&#039;, that is, worst-case scenario impacts that seem possible.&lt;br /&gt;
&lt;br /&gt;
==== Levels summary ====&lt;br /&gt;
&lt;br /&gt;
===== Reputation =====&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;LOW&amp;lt;/span&amp;gt;&lt;br /&gt;
| Nobody cares.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MEDIUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| Tweets, forum posts, e-mails are seen.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;HIGH&amp;lt;/span&amp;gt;&lt;br /&gt;
| Articles in technical websites such as Hacker News, Ars-Technica, etc. are seen.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MAXIMUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| Scandal. National and international news outlets report on the event.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===== Productivity =====&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;LOW&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG (Small Group): affected for &amp;lt; 24h. LG (Large Group): affected for minutes.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MEDIUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG: affected for days. LG: affected for hours.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;HIGH&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG: affected for weeks. LG: affected for days.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MAXIMUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG: affected for a month or more. LG: affected for weeks.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===== Finances =====&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;LOW&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;lt; 100k USD.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MEDIUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;lt; 1M USD.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;HIGH&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;lt; 10M USD.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MAXIMUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;gt; 10M USD.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Work-force (productivity-derived) financial costs calculations are included in the RRA spreadsheet.&lt;br /&gt;
&lt;br /&gt;
==== Recording risk impacts ====&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The risk impact is solely sourced from the RRA when risk is calculated. Thus, the RRA risk impact is the most important&lt;br /&gt;
value being recorded and must be as accurate as possible.&lt;br /&gt;
&lt;br /&gt;
* Tell the team you&#039;re now going to look at the impact on the confidentiality, availability and integrity of the service.&lt;br /&gt;
** Confidentiality is impacted if the data is leaked (all files zipped up and served on a public site).&lt;br /&gt;
** Availability is impacted if the service is no longer available (DDOS or malfunction, service unreachable).&lt;br /&gt;
** Integrity is impacted if the service&#039;s data is tampered with (records no longer show trustworthy data, site is defaced, etc.)&lt;br /&gt;
* For each, look at how it affects Mozilla&#039;s reputation, productivity and finances.&lt;br /&gt;
** Reputation is our public image, both internal and external to Mozilla.&lt;br /&gt;
** Productivity is our ability to work. If a team can&#039;t do their regular work, their productivity is affected.&lt;br /&gt;
** Finances represent the cost of an impact. For example, abusing an AWS account and running bitcoin-mining instances would cost us money.&lt;br /&gt;
* For each row, there is a summary/reference built-in the template that lets you know how the level is set.&lt;br /&gt;
&lt;br /&gt;
As you go through each row, ensure that the team understands which impact level you&#039;re selecting and why.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* Confidentiality =&amp;gt; Reputation HIGH impact would mean that Mozilla would get in tech news (HN, Ars Technica, etc.) if the data was leaked.&lt;br /&gt;
* Confidentiality =&amp;gt; Productivity MEDIUM impact would mean that some small Mozilla teams (SG) would be affected for more than 24h, or a large team (LG) for a few hours.&lt;br /&gt;
If the impact on productivity is higher than LOW, it is possible that we incur financial impacts derived from work-force costs.&lt;br /&gt;
&lt;br /&gt;
For each level, add a rationale on why the level was selected. Remember that anyone reading this&lt;br /&gt;
document will rely on your rationale and they will need to be able to understand why the level is selected. List affected teams&lt;br /&gt;
, their sizes and the duration of the impact for example.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==== Recording risk likelihood ====&lt;br /&gt;
&lt;br /&gt;
Our likelihood level recorded during the RRA is very qualitative and of lower accuracy than the impact assessment.&lt;br /&gt;
Ensure that you do not spent too much time arguing about the likelihood - this level will change and the final risk&lt;br /&gt;
calculation takes several data sources in addition to the RRA itself.&lt;br /&gt;
&lt;br /&gt;
Questions to ask:&lt;br /&gt;
&lt;br /&gt;
* Is the service code peer-reviewed?&lt;br /&gt;
* Did the service receive a security review, threat modeling or pen-testing in the past?&lt;br /&gt;
* Has the service suffered any security vulnerabilities in the past?&lt;br /&gt;
** Did any of the vulnerabilities get exploited or was the service compromised?&lt;br /&gt;
* How confident are you that this impact may occur during the next year?&lt;br /&gt;
* Are we aware of current ongoing attacks on the service? (brute force attempts, DDoS, ...)&lt;br /&gt;
&lt;br /&gt;
The estimated likelihood is then recorded as an estimated occurrence rate per calendar year.&lt;br /&gt;
&lt;br /&gt;
==== Additional tips ====&lt;br /&gt;
&lt;br /&gt;
* Whenever the productivity impact is HIGH or MAXIMUM, there is probably also a financial impact due to the cost of the workforce being impacted.&lt;br /&gt;
* Financial risk is sometimes hard to define, in particular when tied to contracts.&lt;br /&gt;
** If no financial impact is clearly derived, it is OK to set the impact to LOW and rationale to &amp;quot;N/A&amp;quot;.&lt;br /&gt;
** If there is still doubt, you may select &amp;quot;unknown&amp;quot; or &amp;quot;undefined&amp;quot; instead.&lt;br /&gt;
* If you have any HIGH or MAXIMUM impacts, propose that a threat model and pen-test be run.&lt;br /&gt;
* Educate the project owners and lead developers of the project about the meaning of these risks and how the RRA can help them make decisions such as which operational environment to select, what technologies to use, and how much effort to put into securing the project.&lt;br /&gt;
&lt;br /&gt;
=== Recommendations (5 minutes) ===&lt;br /&gt;
&lt;br /&gt;
While the RRA is not meant as a true security-review, recommendations do come up and this is a great time to&lt;br /&gt;
have a quick 5 minute chat about these.&lt;br /&gt;
&lt;br /&gt;
* Ensure all recommendations that came up (from you or the team) are mentioned here. It&#039;s also ok to fill this table as you go!&lt;br /&gt;
* List the control needed (should this be prioritized?)&lt;br /&gt;
* Ensure logging and access control have been mentioned. Can these be improved? Should we alert on events?&lt;br /&gt;
* Does this service have an incident response plan defined?&lt;br /&gt;
&lt;br /&gt;
=== Wrapping up ===&lt;br /&gt;
&lt;br /&gt;
* Estimate a security level provided by the service and set it in the RRA header at the top.&lt;br /&gt;
** A service that does not seem safe provides LOW security.&lt;br /&gt;
** A service that seem to follow best-practices provides MEDIUM security.&lt;br /&gt;
** A service that puts an emphasis on security and uses stronger controls provides HIGH security.&lt;br /&gt;
** A service that has been well reviewed via threat modeling and penetration testing, uses strong security controls, and has good privilege and data separation provides MAXIMUM security.&lt;br /&gt;
* Which recommendations are the team thinking of implementing &#039;&#039;(If no recommendations are implemented, you have very little impact)&#039;&#039;&lt;br /&gt;
* Summarize the risk assessment table, the biggest impacts, and ask the team if the summary is what they expected.&lt;br /&gt;
* Ask the team if there are any security concerns that they have, which have not been mentioned.&lt;br /&gt;
* Ensure you left no &amp;quot;red&amp;quot; fields blank (these are must-fill-in fields).&lt;br /&gt;
* Tell the team that you&#039;ll follow up with a risk-record, thank them for their time and you&#039;re done!&lt;br /&gt;
&lt;br /&gt;
=== Creating a risk record (post-work, 30 minutes) ===&lt;br /&gt;
&lt;br /&gt;
Create a risk record for the service: https://mana.mozilla.org/wiki/display/SECURITY/Risk+Records&lt;br /&gt;
&lt;br /&gt;
== Reference documents ==&lt;br /&gt;
&lt;br /&gt;
* https://binary.protect.io/workcard.pdf&lt;br /&gt;
* http://en.wikipedia.org/wiki/ISO_31000&lt;br /&gt;
* http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Risk_management/Rapid_Risk_Assessment&amp;diff=1140113</id>
		<title>Security/Risk management/Rapid Risk Assessment</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Risk_management/Rapid_Risk_Assessment&amp;diff=1140113"/>
		<updated>2016-07-18T16:16:56Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;&amp;lt;table&amp;gt;&lt;br /&gt;
  &amp;lt;tr&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;min-width: 25em;&amp;quot;&amp;gt;__TOC__&amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;td style=&amp;quot;vertical-align: top; padding-left: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&lt;br /&gt;
&#039;&#039;&#039;RRA Version supported: 2.5.x&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
Any team uses a risk based methodology when making any decision.&lt;br /&gt;
The Rapid Risk Assessment or Rapid Risk Analysis (RRA) methodology helps formalize these decisions and ensures that they&#039;re&lt;br /&gt;
reproducible, consistent and easy to communicate.&lt;br /&gt;
&lt;br /&gt;
This document assumes that the reader is familiar with risk definitions, and the Mozilla risk levels from the&lt;br /&gt;
[[Security/Risk management|Risk Management]] documentation (i.e. read it first).&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security Team (Infosec) maintains this document as a reference guide for security engineers&lt;br /&gt;
and anyone interested in following our risk management processes.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec/ source repository on github].&lt;br /&gt;
Changes are detailed in the [https://github.com/mozilla/wikimo_opsec/commits/master commit history].&lt;br /&gt;
&lt;br /&gt;
&amp;lt;span style=&amp;quot;float: right; padding-top: 3em;&amp;quot;&amp;gt;[[File:OpSec.png|300px]]&amp;lt;/span&amp;gt;&lt;br /&gt;
    &amp;lt;/td&amp;gt;&lt;br /&gt;
  &amp;lt;/tr&amp;gt;&lt;br /&gt;
&amp;lt;/table&amp;gt;&lt;br /&gt;
&lt;br /&gt;
= Rapid Risk Assessment =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:red;&amp;quot;&amp;gt;&#039;&#039;&#039;WARNING&#039;&#039;&#039;&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
A typical Rapid Risk Analysis/Assessment (RRA) lasts about 30 minutes.&lt;br /&gt;
It is not a security review or a full threat-model, peneration test, review, etc. These may however follow an RRA.&lt;br /&gt;
&lt;br /&gt;
The objective of the RRA is to understand the value and impact of a service on a business, project, company - it does not&lt;br /&gt;
focus on quantifying and analyzing security controls.&lt;br /&gt;
&#039;&#039;&#039;The RRA process analyze and assess services&#039;&#039;&#039;. Analyzing processes, or individual pieces of data is not recommended through the RRA process.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== Preamble ==&lt;br /&gt;
&lt;br /&gt;
Data is the most important item in risk management. Software, websites, infrastructure, networks and people handle, process, exchange and store data.&lt;br /&gt;
&lt;br /&gt;
The RRA focuses efforts on creating a summary of the risks associated with our data. In particular it aims to be:&lt;br /&gt;
&lt;br /&gt;
* &#039;&#039;&#039;Quick!&#039;&#039;&#039; About 30 minutes to 60 minutes maximum.&lt;br /&gt;
* &#039;&#039;&#039;Very high-level&#039;&#039;&#039;. Details are for complete threat models.&lt;br /&gt;
* &#039;&#039;&#039;Concise, readable&#039;&#039;&#039;. Short table with clear risk levels.&lt;br /&gt;
* &#039;&#039;&#039;Easy to update&#039;&#039;&#039;. Can be run during the architecture phase, and re-run if the project is re-architected or new high level design decisions are made.&lt;br /&gt;
* &#039;&#039;&#039;Informative&#039;&#039;&#039; It collects risk impact, an approximate impact likelihood and data dictionary.&lt;br /&gt;
&lt;br /&gt;
This helps to make the following type of risk-based decisions:&lt;br /&gt;
&lt;br /&gt;
* Is the security provided by a given platform appropriate to host a specific type of data?&lt;br /&gt;
* How much should we care about maintenance, etc?&lt;br /&gt;
* Does this service warrant a full security threat-model, peneration test, privacy review?&lt;br /&gt;
* How long should we spend on these tasks?&lt;br /&gt;
* Is there anything obvious I should really look at fixing right now?&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;Sample use case&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
Firefox accounts store user data:&lt;br /&gt;
&lt;br /&gt;
* What happens if that data is exposed to the world? What happens if the systems go down? What happens if that data is disclosed? What if the data is modified?&lt;br /&gt;
* Are we at financial, operational risk? Is our reputation also at risk?&lt;br /&gt;
* What kind of data does Firefox accounts exactly handle? How sensitive is the primary kind of data used by Firefox accounts?&lt;br /&gt;
&lt;br /&gt;
The RRA table facilitate the answer to these questions.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
== When to run RRAs? ==&lt;br /&gt;
&lt;br /&gt;
RRAs are designed to be updated and re-runnable as needed. That being said, it is recommended to run the first RRA&lt;br /&gt;
during the design or architecture phase of new services, when an initial data flow diagram for the service has been created.&lt;br /&gt;
&lt;br /&gt;
== What to run through RRAs? ==&lt;br /&gt;
&lt;br /&gt;
RRAs can only be used for services. Any project belongs to or provides a service. Any component, piece of code or data&lt;br /&gt;
belongs to a service. Find which service it belongs to and RRA that service, not the specific piece of code or data.&lt;br /&gt;
&lt;br /&gt;
Large services should be split into multiple smaller services or sub-services that handle a specific type of data and&lt;br /&gt;
expose a limited set of features. This choice has to be made by the security engineer running the RRA. If the&lt;br /&gt;
sub-services belong to different teams, it is a strong indicator that multiple RRAs should be ran.&lt;br /&gt;
&lt;br /&gt;
Large services that cannot be split up not only lead to a complex assessment, but also may indicate that the service&lt;br /&gt;
itself needs to be re-designed in a more secure fashion.&lt;br /&gt;
&lt;br /&gt;
Representing the risk of a large set of services that are tied together can be done outside the RRA by looking at the&lt;br /&gt;
linked services field of the RRA.&lt;br /&gt;
&lt;br /&gt;
== What to focus on during RRAs? ==&lt;br /&gt;
&lt;br /&gt;
* &#039;&#039;&#039;Impact assessment&#039;&#039;&#039;. The RRA is the authority for impact levels and these are paramount.&lt;br /&gt;
* &#039;&#039;&#039;Rationales&#039;&#039;&#039;. Anyone should understand why you&#039;ve set a specific impact level by reading &lt;br /&gt;
* Getting &#039;&#039;&#039;value for the team&#039;&#039;&#039;. The team needs to understand what is most important to protect.&lt;br /&gt;
&lt;br /&gt;
What to &#039;&#039;&#039;NOT&#039;&#039;&#039; focus on:&lt;br /&gt;
* Gathering security controls, figuring out how effective they are, etc. Don&#039;t do that! This information may be recorded if it comes up but do not focus on it.&lt;br /&gt;
* Likelihood, Security provided by service. Don&#039;t spent much time there! These are &amp;quot;10, 000 feet approximations&amp;quot; and part of a larger risk calculation mechanism.&lt;br /&gt;
&lt;br /&gt;
== Guided process: Running your RRA in ~30 minutes ==&lt;br /&gt;
&lt;br /&gt;
This is a guided example of how to run an RRA.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:gray;&amp;quot;&amp;gt;Time management and control&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
You will be responsible for the time distribution and ensure 30 minutes are not exceeded if possible.&lt;br /&gt;
&lt;br /&gt;
You will sometimes have to cut a discussion short and be assertive.&lt;br /&gt;
We have a tendency to jump directly to discussing security controls during risk discussions. While valuable, this&lt;br /&gt;
is not the purpose of the RRA, and controls can be better discussed once the impacts have been clearly defined.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
* The discussion languishes (&amp;gt;1 minute) around &amp;quot;how to mitigate this very issue&amp;quot; or &amp;quot;we&#039;re doing X to ensure this never happens&amp;quot;.&lt;br /&gt;
* The discussion focuses on process instead of filling the form.&lt;br /&gt;
* The discussion about how the service works takes forever (&amp;gt;15 minutes) and the owner has to lookup every single detail.&lt;br /&gt;
&lt;br /&gt;
A good tip is to &#039;&#039;&#039;reserve 50-60 minutes&#039;&#039;&#039; of RRA time in the calendar, and plan to run the RRA for only &#039;&#039;&#039;30&lt;br /&gt;
minutes&#039;&#039;&#039;.&lt;br /&gt;
This leaves you with some room for error, and handle services that weren&#039;t well understood by their owners.&lt;br /&gt;
In any case, always watch your clock!&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Getting started (pre-work) ===&lt;br /&gt;
&lt;br /&gt;
* Ensure no previous RRA exist, else re-use the previous RRA.&lt;br /&gt;
* Create a copy of the [https://drive.google.com/open?id=160V89R-VdIe1AEHcT_sX89UToV2gv8mLshhoia2-6mM template] and move it to the correct directory (or your personal Google drive if you&#039;re testing the RRA process).&lt;br /&gt;
* Invite 1 or 2 members (product owners, lead engineers, etc.) related to the service with enough technical knowledge, ensure they will bring a diagram of data&lt;br /&gt;
flows and have an understanding of the data being stored or processed by the service. You do not want more than 4 or 5 persons total as this will slow down the RRA. Most RRAs are run 1 on 1 (2 persons total).&lt;br /&gt;
Make sure everyone invited has &#039;&#039;&#039;edit&#039;&#039;&#039; rights to the document, and has the document opened in front of them when the&lt;br /&gt;
RRA starts.&lt;br /&gt;
* If this is anyone&#039;s first RRA, ensure they understand what risk impacts are, and the standard risk levels we are using, as well giving them a short overview of what is going to happen:&lt;br /&gt;
** Filling in header/meta-data information about the service.&lt;br /&gt;
** Getting an idea of how the service is architected.&lt;br /&gt;
** Recording all data the service may process/store and how sensitive it is.&lt;br /&gt;
** Run through the risk table and figure out what happens if the data leak, is modified, is unavailable, etc - while&lt;br /&gt;
assigning the standard risk levels.&lt;br /&gt;
** Write down any recommendation for the service.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:red;&amp;quot;&amp;gt;First time?&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
If this is your first RRA, ensure that someone who has run RRAs previously is present to help you.&lt;br /&gt;
It is good to have attended multiple RRAs before starting your own.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Header (5 minutes) ===&lt;br /&gt;
&lt;br /&gt;
The header has to be filled in first and foremost.&lt;br /&gt;
&lt;br /&gt;
* Fill in the service name. It may be the product or generic service name, or even better, both. Try to keep it short and simple.&lt;br /&gt;
* Fill in the description of the service. In order to do that, ask the team to give you a short, one sentence, few words quick description of what this service does, how it does it.&lt;br /&gt;
* Fill in the scope if you know it. Sometimes the scope is clearer at the end of the RRA.&lt;br /&gt;
** If the scope is obvious (its the whole service) it is OK to leave it blank.&lt;br /&gt;
** In some cases the scope is critical to the understanding of the RRA.&lt;br /&gt;
* If you know of linked services (for example if it uses SAML authentication, the linked service could be &amp;quot;SAML SSO&amp;quot;)&lt;br /&gt;
* Ask the team who owns the service (takes decisions if the service must go down for example), who develops the code and who&#039;s operating it.&lt;br /&gt;
** Generally its a team name and one or more names. Sometimes, it&#039;s a third party (SaaS).&lt;br /&gt;
** You never want to leave the service owner blank, and you always want a Mozilla contact as service owner.&lt;br /&gt;
** You always want at least a team name, as people change teams, etc. A team name and a responsible person name is ideal.&lt;br /&gt;
* Other fields will be automatically filled in or filled in at a later time.&lt;br /&gt;
&lt;br /&gt;
=== General notes (5-10 minutes) ===&lt;br /&gt;
&lt;br /&gt;
At this point you want to have a good understanding of the service:&lt;br /&gt;
&lt;br /&gt;
* Where is it running? Which platforms?&lt;br /&gt;
* What is it running, what kind of software or technologies?&lt;br /&gt;
* How is it structured, architected? Do you have your data flow diagram?&lt;br /&gt;
* Do you have some documentation links?&lt;br /&gt;
* Any URL to access the service?&lt;br /&gt;
* How is administration performed?&lt;br /&gt;
* How is authorization (login) performed?&lt;br /&gt;
* What is logged, where?&lt;br /&gt;
&lt;br /&gt;
Anything of interest may go in the RRA general notes. This can be used during the description  of the service as well if you hear interesting details that did not fit in the description.&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! &amp;lt;span style=&amp;quot;color:red;&amp;quot;&amp;gt;WARNING&amp;lt;/span&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
|&lt;br /&gt;
At the end of this exercise, you want to be able to reformulate how the service works, with your own words, and have the&lt;br /&gt;
RRA participants tell you if that understanding is correct. This step is crucial.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== Data Dictionary (5-10 minutes) ===&lt;br /&gt;
&lt;br /&gt;
We want an exhaustive list of data types. While some types may be sometimes missing as this is a best-effort type discussion, it is important to ensure we&#039;re missing as little as possible.&lt;br /&gt;
&lt;br /&gt;
* Ask the team to help you list which data is handled by the application, such as:&lt;br /&gt;
** Specific configuration data (on disk or in RAM).&lt;br /&gt;
** Credentials used by the applications (keys, logins, etc.).&lt;br /&gt;
** Potentially program code/script (such as if the code is stored on a Git repository, downloaded and ran by the service).&lt;br /&gt;
** Ask again and specify you want to make sure they&#039;ve listed all sensitive data they can think of.&lt;br /&gt;
* Set the data classification for each data type in the dictionary, such as &amp;quot;PUBLIC&amp;quot;, &amp;quot;STAFF&amp;quot;, etc. Mozilla uses standard classification levels.&lt;br /&gt;
* If some compensating controls are mentioned or there are more details about the data you can fill them in as well.&lt;br /&gt;
** For example &amp;quot;User attributes, classified INTERNAL, protected by LDAP authentication, used to find out the user&lt;br /&gt;
t-shirt size&amp;quot;.&lt;br /&gt;
* Based on this dictionary/catalog of data, figure out which is the main data classification the service is handling. If unsure, ask the team.&lt;br /&gt;
** For example &amp;quot;mock is mainly used to serve package files that are PUBLIC.&amp;quot; (public main data classification).&lt;br /&gt;
** Set this in the header section at the top of the RRA template.&lt;br /&gt;
&lt;br /&gt;
=== RRA Risk table (5-10 minutes) ===&lt;br /&gt;
&lt;br /&gt;
This is where the risk impact assessment is done, and where the probability for these impact is roughly estimated.&lt;br /&gt;
The risk impact is using &#039;&#039;probable impact&#039;&#039;, that is, worst-case scenario impacts that seem possible.&lt;br /&gt;
&lt;br /&gt;
==== Levels summary ====&lt;br /&gt;
&lt;br /&gt;
===== Reputation =====&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;LOW&amp;lt;/span&amp;gt;&lt;br /&gt;
| Nobody cares.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MEDIUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| Tweets, forum posts, e-mails are seen.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;HIGH&amp;lt;/span&amp;gt;&lt;br /&gt;
| Articles in technical websites such as HN, Ars-Technica, etc. are seen.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MAXIMUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| Scandal. We appear on TV, BBC, etc.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===== Productivity =====&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;LOW&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG (Small Group): affected for &amp;lt; 24h. LG (Large Group): affected for minutes.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MEDIUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG: affected for days. LG: affected for hours.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;HIGH&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG: affected for weeks. LG: affected for days.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MAXIMUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| SG: affected for a month or more. LG: affected for weeks.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===== Finances =====&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;LOW&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;lt; 100k USD.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MEDIUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;lt; 1M USD.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;HIGH&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;lt; 10M USD.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;MAXIMUM&amp;lt;/span&amp;gt;&lt;br /&gt;
| &amp;gt; 10M USD.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Work-force (productivity-derived) financial costs calculations are included in the RRA spreadsheet.&lt;br /&gt;
&lt;br /&gt;
==== Recording risk impacts ====&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
The risk impact is solely sourced from the RRA when risk is calculated. Thus, the RRA risk impact is the most important&lt;br /&gt;
value being recorded and must be as accurate as possible.&lt;br /&gt;
&lt;br /&gt;
* Tell the team you&#039;re now going to look at the impact on confidentiality, availability and integrity of the service.&lt;br /&gt;
** Confidentiality is what happens if the data is leaked (all files zipped up and served on a public site).&lt;br /&gt;
** Availability is what happens if the service is no longer available (DDOS or malfunction, service unreachable).&lt;br /&gt;
** Integrity is what happens if the service data is tampered with (records no longer show trustworthy data, site is&lt;br /&gt;
defaced, etc.)&lt;br /&gt;
* For each, we&#039;ll look at how it affects Mozilla&#039;s reputation, productivity and finances.&lt;br /&gt;
** Reputation is our public image, both internal and external to Mozilla.&lt;br /&gt;
** Productivity is our ability to work. If a team can&#039;t do their regular work, their productivity is affected.&lt;br /&gt;
** Finances represent the cost of an impact. For example, abusing an AWS account and running bitcoin-mining instances&lt;br /&gt;
would cost us money.&lt;br /&gt;
* For each row, there is a summary/reference built-in the template that let you know how the level is set.&lt;br /&gt;
&lt;br /&gt;
As you go through each row, ensure that the team understands which level you&#039;re selecting as impact and why.&lt;br /&gt;
&lt;br /&gt;
For example:&lt;br /&gt;
&lt;br /&gt;
Confidentiality=&amp;gt;Reputation HIGH impact would mean that Mozilla would get in tech. news (HN, Ars Technica, etc.)&lt;br /&gt;
if the data was leaked.&lt;br /&gt;
Confidentiality=&amp;gt;Productivity MEDIUM impact would mean that some small Mozilla teams (SG) would be affected for more than&lt;br /&gt;
24h, or a large team (LG) for a few hours.&lt;br /&gt;
If the impact on productivity is higher than LOW, it is possible that we occur financial impacts derived from work-force costs.&lt;br /&gt;
&lt;br /&gt;
For each level, add a rationale on why the level was selected. Remember that anyone reading this&lt;br /&gt;
document will rely on your rationale and need to be able to understand why the level is selected. List affected teams&lt;br /&gt;
and their sizes, for how long for example.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
==== Recording risk likelihood ====&lt;br /&gt;
&lt;br /&gt;
Our likelihood level recorded during the RRA is very qualitative and of lower accuracy than the impact assessment.&lt;br /&gt;
Ensure that you do not spent too much time arguing about the likelihood - this level will change and the final risk&lt;br /&gt;
calculation takes several data sources in addition to the RRA itself.&lt;br /&gt;
&lt;br /&gt;
Questions to ask:&lt;br /&gt;
&lt;br /&gt;
* Is the service code peer-reviewed?&lt;br /&gt;
* Did the service get any kind of security review, modeling, pen-testing in the past?&lt;br /&gt;
* Did the service suffer any security vulnerability in the past?&lt;br /&gt;
** Did any of the vulnerabilities get exploited or the service compromised?&lt;br /&gt;
* How confident are you that this impact may occur during the next year?&lt;br /&gt;
* Are we aware of ongoing attacks on the service? (brute force attempts, DDoS, ...)&lt;br /&gt;
&lt;br /&gt;
The estimated likelihood is then recorded as an estimated occurrence rate per calendar year.&lt;br /&gt;
&lt;br /&gt;
==== Additional tips ====&lt;br /&gt;
&lt;br /&gt;
* Whenever the productivity impact is HIGH or MAXIMUM, there probably also is a financial impact due to the cost of the workforce being impacted.&lt;br /&gt;
* Financial risk is sometimes hard to define, in particular when tied to contracts.&lt;br /&gt;
** If no financial impact is clearly derived, it is OK to set the impact to LOW and rationale to &amp;quot;N/A&amp;quot;.&lt;br /&gt;
** If there is still doubt, you may select &amp;quot;unknown&amp;quot; or &amp;quot;undefined&amp;quot; instead.&lt;br /&gt;
* If you have any HIGH or MAXIMUM impact, you will want to propose the team to run a threat model and pen-test, every time.&lt;br /&gt;
* Educate the project owners and/or lead developers of the project about the meaning of these risks and how the RRA can help them make decisions such as which operational environment to select, what technologies to use, or how much effort to put in securing the project.&lt;br /&gt;
&lt;br /&gt;
=== Recommendations (5 minutes) ===&lt;br /&gt;
&lt;br /&gt;
While the RRA is not meant for true security-review type work, recommendations do come up and this is a great time to&lt;br /&gt;
have a quick 5 minutes chat about these.&lt;br /&gt;
&lt;br /&gt;
* Ensure all recommendations that came up (from you or the team) are mentioned there. It&#039;s OK to fill this table as you go, too!&lt;br /&gt;
* List the control need (should this be prioritized?)&lt;br /&gt;
* Ensure logging and access control have been mentioned. Can these be improved? Should we alert on events?&lt;br /&gt;
* Does this service have an incident response scenario figured out?&lt;br /&gt;
&lt;br /&gt;
=== Wrapping up ===&lt;br /&gt;
&lt;br /&gt;
* Estimate a security level provided by the service and set it in the RRA header at the top.&lt;br /&gt;
** A service that does not seem safe provides LOW security.&lt;br /&gt;
** A service that seem to follow best-practices provides MEDIUM security.&lt;br /&gt;
** A service that put emphasis on security and uses stronger controls provides a HIGH security.&lt;br /&gt;
** A service that has been well reviewed via threat models, pen-tested, etc. and uses strong controls, privilege and&lt;br /&gt;
data separation provides a MAXIMUM security.&lt;br /&gt;
* Which recommendations do the team think of implementing &#039;&#039;(If no recommendations are implemented, you have very little impact)&#039;&#039;&lt;br /&gt;
* Summarize the risk assessment table, the biggest impacts, and ask the team if that sounds like what they expected.&lt;br /&gt;
* Ask the team if there is any security concern that they have, which has not been mentioned.&lt;br /&gt;
* Ensure you left no &amp;quot;red&amp;quot; field blank (these are must-fill-in fields).&lt;br /&gt;
* Tell the team that you&#039;ll follow up with a risk-record, thanks them for their time, you&#039;re done!&lt;br /&gt;
&lt;br /&gt;
=== Creating a risk record (post-work, 30 minutes) ===&lt;br /&gt;
&lt;br /&gt;
Create a risk record for the service: https://mana.mozilla.org/wiki/display/SECURITY/Risk+Records&lt;br /&gt;
&lt;br /&gt;
== Reference documents ==&lt;br /&gt;
&lt;br /&gt;
* https://binary.protect.io/workcard.pdf&lt;br /&gt;
* http://en.wikipedia.org/wiki/ISO_31000&lt;br /&gt;
* http://www.riskmanagementinsight.com/media/docs/FAIR_introduction.pdf&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1140112</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1140112"/>
		<updated>2016-07-18T16:16:51Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: deprecated; instead use CSP&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1139283</id>
		<title>Security/Guidelines/Web Security</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=Security/Guidelines/Web_Security&amp;diff=1139283"/>
		<updated>2016-07-11T20:12:48Z</updated>

		<summary type="html">&lt;p&gt;Apking: Automated sync from https://github.com/mozilla/wikimo_opsec&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive, use Content Security Policy, and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 8em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines_Scratchpad&amp;diff=1138987</id>
		<title>User:Apking/Web Security Guidelines Scratchpad</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines_Scratchpad&amp;diff=1138987"/>
		<updated>2016-07-07T16:30:40Z</updated>

		<summary type="html">&lt;p&gt;Apking: Created page with &amp;quot;__NOTOC__ &amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;   &amp;lt;table&amp;gt;     &amp;lt;tr&amp;gt;       &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;         &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;...&amp;quot;&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the loading of any resources and disable framing, recommended for APIs to use&lt;br /&gt;
Content-Security-Policy: default-src &#039;none&#039;; frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; header is mandatory for all new websites, and all existing websites are expected to add support for &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Note that &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; has been superceded by the Content Security Policy&#039;s &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; directive, which allows considerably more granular control over the origins allowed to frame a site. As &amp;lt;tt&amp;gt;frame-ancestors&amp;lt;/tt&amp;gt; is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ &amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; in addition to using CSP.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive, use Content Security Policy, and/or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being framed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;none&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site&lt;br /&gt;
Content-Security-Policy: frame-ancestors &#039;self&#039; https://frame-you.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (&amp;lt;tt&amp;gt;&#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt;), they can still provide protections for users of older web browsers that don&#039;t yet support CSP.&lt;br /&gt;
&lt;br /&gt;
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 7.5em;&amp;quot; | Date&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | July, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Updates to CSP for APIs, and CSP&#039;s deprecation of XFO, and XXSSP&lt;br /&gt;
|-&lt;br /&gt;
| style=&amp;quot;padding-left: .5em; text-align: left;&amp;quot; | February, 2016&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1121150</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1121150"/>
		<updated>2016-03-09T22:01:27Z</updated>

		<summary type="html">&lt;p&gt;Apking: Redirected page to Security/Guidelines/Web Security&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;#REDIRECT [[Security/Guidelines/Web Security]]&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1119149</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1119149"/>
		<updated>2016-02-29T17:31:11Z</updated>

		<summary type="html">&lt;p&gt;Apking: text-align&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;text-align: center;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1119147</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1119147"/>
		<updated>2016-02-29T17:29:50Z</updated>

		<summary type="html">&lt;p&gt;Apking: visual tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;padding-left: 20em;&amp;quot;&amp;gt;&#039;&#039;&#039;STATUS: &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: 0 .5em; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;READY&amp;lt;/span&amp;gt;&#039;&#039;&#039;&amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Security&amp;lt;br&amp;gt;Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Implementation&amp;lt;br&amp;gt;Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; |&amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Unknown&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118921</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118921"/>
		<updated>2016-02-26T22:11:07Z</updated>

		<summary type="html">&lt;p&gt;Apking: add colors to chart&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|- style=&amp;quot;background-color: #aaaaaa;&amp;quot;&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Maximum&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Moderate&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #cccccc; border-radius: .25em; color: #333333; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Varies&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #ffd351; border-radius: .25em; color: #594300; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Moderate&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;High&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #14892c; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Easy&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #ffffff;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #d04437; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Low&amp;lt;/span&amp;gt;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | &amp;lt;span style=&amp;quot;background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase;&amp;quot;&amp;gt;Medium&amp;lt;/span&amp;gt;&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118909</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118909"/>
		<updated>2016-02-26T21:18:33Z</updated>

		<summary type="html">&lt;p&gt;Apking: updated to latest push&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #E99696;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards Compatible (Old)&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118497</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118497"/>
		<updated>2016-02-24T20:17:29Z</updated>

		<summary type="html">&lt;p&gt;Apking: fix chart ordering&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #E99696;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118496</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1118496"/>
		<updated>2016-02-24T20:15:51Z</updated>

		<summary type="html">&lt;p&gt;Apking: buncha tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #E99696;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security (TLS/SSL) =&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossdomain.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1117744</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1117744"/>
		<updated>2016-02-18T22:39:02Z</updated>

		<summary type="html">&lt;p&gt;Apking: more chart tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security|2 Transport Layer Security]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #E99696;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security =&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security (TLS/SSL) provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossorigin.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
	<entry>
		<id>https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1117739</id>
		<title>User:Apking/Web Security Guidelines</title>
		<link rel="alternate" type="text/html" href="https://wiki.mozilla.org/index.php?title=User:Apking/Web_Security_Guidelines&amp;diff=1117739"/>
		<updated>2016-02-18T22:37:22Z</updated>

		<summary type="html">&lt;p&gt;Apking: visual tweaks&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;__NOTOC__&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;table&amp;gt;&lt;br /&gt;
    &amp;lt;tr&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;white-space: nowrap;&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;!-- Roll our own TOC, since the wiki has very old styles --&amp;gt;&lt;br /&gt;
        &amp;lt;div id=&amp;quot;toc&amp;quot; class=&amp;quot;toc&amp;quot;&amp;gt;&lt;br /&gt;
          &amp;lt;div id=&amp;quot;toctitle&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;h2&amp;gt;Contents&amp;lt;/h2&amp;gt;&lt;br /&gt;
          &amp;lt;/div&amp;gt;&lt;br /&gt;
          &amp;lt;ul style=&amp;quot;padding-right: 1em;&amp;quot;&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Web Security Cheat Sheet|1 Cheat Sheet]]&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Transport Layer Security|2 Transport Layer Security]]&lt;br /&gt;
            &amp;lt;li&amp;gt;&lt;br /&gt;
              &amp;lt;ul&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTPS|2.1 HTTPS]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Redirections|2.3 HTTP Redirections]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]&amp;lt;/li&amp;gt;&lt;br /&gt;
                &amp;lt;li&amp;gt;[[#Resource Loading|2.5 Resource Loading]]&amp;lt;/li&amp;gt;&lt;br /&gt;
              &amp;lt;/ul&amp;gt;&lt;br /&gt;
            &amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Content Security Policy|3 Content Security Policy]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#contribute.json|4 contribute.json]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cookies|5 Cookies]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#CSRF Prevention|7 CSRF Prevention]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#robots.txt|8 robots.txt]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Subresource Integrity|9 Subresource Integrity]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Content-Type-Options|10 X-Content-Type-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-Frame-Options|11 X-Frame-Options]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#X-XSS-Protection|12 X-XSS-Protection]]&amp;lt;/li&amp;gt;&lt;br /&gt;
            &amp;lt;li&amp;gt;[[#Version History|13 Version History]]&amp;lt;/li&amp;gt;&lt;br /&gt;
          &amp;lt;/ul&amp;gt;&lt;br /&gt;
        &amp;lt;/div&amp;gt;&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
      &amp;lt;td style=&amp;quot;vertical-align: top; padding: 1em 0 0 1.5em;&amp;quot;&amp;gt;&lt;br /&gt;
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.&lt;br /&gt;
&lt;br /&gt;
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.&lt;br /&gt;
&lt;br /&gt;
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].&lt;br /&gt;
      &amp;lt;/td&amp;gt;&lt;br /&gt;
    &amp;lt;/tr&amp;gt;&lt;br /&gt;
  &amp;lt;/table&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Web Security Cheat Sheet =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable sortable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Guideline&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Benefit&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Difficulty&lt;br /&gt;
! data-sort-type=&amp;quot;number&amp;quot; | Order&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
! Requirements&lt;br /&gt;
! Notes&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;HTTPS&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;0&amp;quot; | &lt;br /&gt;
| Mandatory&lt;br /&gt;
| Sites should use HTTPS (or other secure protocols) for all communications&lt;br /&gt;
|- style=&amp;quot;background-color: #E99696;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Public Key Pinning|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Public Key Pinning&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; data-sort-value=&amp;quot;99&amp;quot; | --&lt;br /&gt;
| Mandatory for maximum risk sites only&lt;br /&gt;
| Not recommended for most sites&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Redirections|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Redirections from HTTP&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 3&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#Resource Loading|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Resource Loading&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;4&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Maximum&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 2&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;5&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTP Strict Transport Security|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Strict Transport Security&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 4&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Minimum allowed time period of six months&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;6&amp;quot; style=&amp;quot;padding-left: 1.5em;&amp;quot; | [[#HTTPS|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;TLS Configuration&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 1&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;7&amp;quot; | [[#Content Security Policy|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Content Security Policy&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 10&lt;br /&gt;
| Mandatory for new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Disabling inline script is the greatest concern for CSP implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;8&amp;quot; | [[#Cookies|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cookies&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 7&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| All cookies must be set with the Secure flag, and set as restrictively as possible&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;9&amp;quot; | [[#contribute.json|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;contribute.json&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 9&lt;br /&gt;
| Mandatory for all new Mozilla websites&amp;lt;br&amp;gt;Recommended for existing Mozilla sites&lt;br /&gt;
| Mozilla sites should serve contribute.json and keep contact information up-to-date&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;10&amp;quot; | [[#Cross-origin Resource Sharing|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-origin Resource Sharing&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 11&lt;br /&gt;
| Mandatory&lt;br /&gt;
| Origin sharing headers and files should not be present, except for specific use cases&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;11&amp;quot; | [[#CSRF Prevention|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Cross-site Request Forgery Tokenization&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;99&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | --&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 6&lt;br /&gt;
| Varies&lt;br /&gt;
| Mandatory for websites that allow destructive changes&amp;lt;br&amp;gt;Unnecessary for all other websites&amp;lt;br&amp;gt;Most application frameworks have built-in CSRF tokenization to ease implementation&lt;br /&gt;
|- style=&amp;quot;background-color: #D2D2D2;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;12&amp;quot; | [[#robots.txt|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;robots.txt&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 13&lt;br /&gt;
| Optional&lt;br /&gt;
| Websites that implement robots.txt must use it only for noted purposes&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;13&amp;quot; | [[#Subresource Integrity|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;Subresource Integrity&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 14&lt;br /&gt;
| Recommended&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt;&lt;br /&gt;
| &amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;Dagger;&amp;lt;/sup&amp;gt; Only for websites that load JavaScript or stylesheets from foreign origins&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;14&amp;quot; | [[#X-Content-Type-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Content-Type-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 8&lt;br /&gt;
| Recommended for all websites&lt;br /&gt;
| Websites should verify that they are setting the proper MIME types for all resources&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;15&amp;quot; | [[#X-Frame-Options|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-Frame-Options&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;3&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | High&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Easy&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 5&lt;br /&gt;
| Mandatory for all websites&lt;br /&gt;
| Websites that don&#039;t use DENY or SAMEORIGIN must employ clickjacking defenses&lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| data-sort-value=&amp;quot;16&amp;quot; | [[#X-XSS-Protection|&amp;lt;span style=&amp;quot;color: black;&amp;quot;&amp;gt;X-XSS-Protection&amp;lt;/span&amp;gt;]]&lt;br /&gt;
| data-sort-value=&amp;quot;1&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Low&lt;br /&gt;
| data-sort-value=&amp;quot;2&amp;quot; style=&amp;quot;text-align: center;&amp;quot; | Medium&lt;br /&gt;
| style=&amp;quot;text-align: center;&amp;quot; | 12&lt;br /&gt;
| Mandatory for all new websites&amp;lt;br&amp;gt;Recommended for existing websites&lt;br /&gt;
| Manual testing should be done for existing websites, prior to implementation&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;margin-left: 1.5em;&amp;quot;&amp;gt;&amp;lt;sup style=&amp;quot;font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;&amp;quot;&amp;gt;&amp;amp;dagger;&amp;lt;/sup&amp;gt; Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&amp;lt;div style=&amp;quot;max-width: 75em;&amp;quot;&amp;gt;&lt;br /&gt;
= Transport Layer Security =&lt;br /&gt;
&lt;br /&gt;
== HTTPS ==&lt;br /&gt;
&lt;br /&gt;
Transport Layer Security (TLS/SSL) provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems.&lt;br /&gt;
&lt;br /&gt;
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites intended for general public consumption should use the [[Security/Server Side TLS#Intermediate compatibility (default)|Mozilla intermediate TLS configuration]].&lt;br /&gt;
&lt;br /&gt;
Websites that require backwards compatibility with extremely old browsers and operating systems may use the [[Security/Server Side TLS#Old backward compatibility|Mozilla backwards compatible TLS configuration]]. This is not recommended, and use of this compatibility level should be noted in your risk assessment.&lt;br /&gt;
&lt;br /&gt;
=== Compatibility ===&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! Configuration&lt;br /&gt;
! Oldest compatible clients&lt;br /&gt;
|- style=&amp;quot;background-color: #9EDB58;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Modern&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 27, Chrome 22, Internet Explorer 11, Opera 14, Safari 7, Android 4.4, Java 8 &lt;br /&gt;
|- style=&amp;quot;background-color: #E8E27A;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Intermediate&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Firefox 1, Chrome 1, Internet Explorer 7, Opera 5, Safari 1, Internet Explorer 8 (XP), Android 2.3, Java 7 &lt;br /&gt;
|- style=&amp;quot;background-color: #CCCCCC;&amp;quot;&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | Backwards&lt;br /&gt;
| style=&amp;quot;padding-left: .5em;&amp;quot; | Internet Explorer 6 (XP), Java 6 &lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [[Security/Server Side TLS|Mozilla Server Side TLS Guidelines]]&lt;br /&gt;
* [https://mozilla.github.io/server-side-tls/ssl-config-generator/ Mozilla Server Side TLS Configuration Generator] - generates software configurations for the three levels of compatibility&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Strict Transport Security ==&lt;br /&gt;
&lt;br /&gt;
HTTP Strict Transport Security (HSTS) is an HTTP header that notifies user agents to only connect to a given site over HTTPS, even if the scheme chosen was HTTP.  Browsers that have had HSTS set for a given site will transparently upgrade all requests to HTTPS.  HSTS also tells the browser to treat TLS and certificate-related errors more strictly by disabling the ability for users to bypass the error page.&lt;br /&gt;
&lt;br /&gt;
The header consists of one mandatory parameter (&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt;) and two optional parameters (&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt;), separated by semicolons.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long user agents will redirect to HTTPS, in seconds&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should upgrade requests on subdomains&lt;br /&gt;
* &amp;lt;tt&amp;gt;preload:&amp;lt;/tt&amp;gt; whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; on &amp;lt;tt&amp;gt;domain.mozilla.com&amp;lt;/tt&amp;gt; will also set it on &amp;lt;tt&amp;gt;host1.domain.mozilla.com&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;host2.domain.mozilla.com&amp;lt;/tt&amp;gt;. Extreme care is needed when setting the &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; flag, as it could disable sites on subdomains that don&#039;t yet have HTTPS enabled.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;preload&amp;lt;/tt&amp;gt; allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that &amp;lt;tt&amp;gt;includeSubDomains&amp;lt;/tt&amp;gt; also be set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site via HTTPS for the next year (recommended)&lt;br /&gt;
Strict-Transport-Security: max-age=31536000&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list&lt;br /&gt;
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/docs/Web/Security/HTTP_strict_transport_security MDN on HTTP Strict Transport Security]&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6797 RFC6797: HTTP Strict Transport Security (HSTS)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Redirections ==&lt;br /&gt;
&lt;br /&gt;
Websites may continue to listen on port 80 (HTTP) so that users do not get connection errors when typing a URL into their address bar, as browsers currently connect via HTTP for their initial request.  Sites that listen on port 80 should only redirect to the same resource on HTTPS. Once the redirection has occured, [[#HTTP Strict Transport Security|HSTS]] should ensure that all future attempts go to the site via HTTP are instead sent directly to the secure site. APIs or websites not intended for public consumption should disable the use of HTTP entirely.&lt;br /&gt;
&lt;br /&gt;
Redirections should be done with the 301 redirects, unless they redirect to a different path, in which case they may be done with 302 redirections. Sites should avoid redirections from HTTP to HTTPS on a different host, as this prevents HSTS from being set.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect all incoming http requests to the same site and URI on https, using nginx&lt;br /&gt;
server {&lt;br /&gt;
  listen 80;&lt;br /&gt;
&lt;br /&gt;
  return 301 https://$host$request_uri;&lt;br /&gt;
}&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Redirect for site.mozilla.org from http to https, using Apache&lt;br /&gt;
&amp;lt;VirtualHost *:80&amp;gt;&lt;br /&gt;
  ServerName site.mozilla.org&lt;br /&gt;
  Redirect permanent / https://site.mozilla.org/&lt;br /&gt;
&amp;lt;/VirtualHost&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== HTTP Public Key Pinning ==&lt;br /&gt;
&lt;br /&gt;
[[Security/Risk management/Rapid Risk Assessment#RRA Risk table (5-10 minutes)|Maximum risk]] sites must enable the use of HTTP Public Key Pinning (HPKP). HPKP instructs a user agent to bind a site to specific root certificate authority, intermediate certificate authority, or end-entity public key. This prevents  certificate authorities from issuing unauthorized certificates for a given domain that would nevertheless be trusted by the browsers. These fradulent certificates would allow an active attacker to MitM and impersonate a website, intercepting credentials and other sensitive data.&lt;br /&gt;
&lt;br /&gt;
Due to the risk of knocking yourself off the internet, HPKP must be implemented with extreme care. This includes having backup key pins, testing on a non-production domain, testing with &amp;lt;tt&amp;gt;Public-Key-Pins-Report-Only&amp;lt;/tt&amp;gt; and then finally doing initial testing with a very short-lived &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; directive. Because of the risk of creating a self-denial-of-service and the very low risk of a fraudulent certificate being issued, it is &amp;lt;em&amp;gt;not recommended&amp;lt;/em&amp;gt; for the majority websites to implement HPKP.&lt;br /&gt;
&lt;br /&gt;
=== Directives ===&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;max-age:&amp;lt;/tt&amp;gt; how long the user agent the keys will be pinned; the site must use a cert that meets these pins until this time expires&lt;br /&gt;
* &amp;lt;tt&amp;gt;includeSubDomains:&amp;lt;/tt&amp;gt; whether user agents should pin all subdomains to the same pins&lt;br /&gt;
&lt;br /&gt;
Unlike with HSTS, what to set &amp;lt;tt&amp;gt;max-age&amp;lt;/tt&amp;gt; is highly individualized to a given site.  A longer value is more secure, but screwing up your key pins will result in your site being unavailable for a longer period of time. Recommended values fall between 15 and 120 days.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pin to DigiCert, Let&#039;s Encrypt, and the local public-key, including subdomains, for 15 days&lt;br /&gt;
Public-Key-Pins: max-age=1296000; includeSubDomains; pin-sha256=&amp;quot;WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=&amp;quot;;&lt;br /&gt;
  pin-sha256=&amp;quot;YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=&amp;quot;; pin-sha256=&amp;quot;P0NdsLTMT6LSwXLuSEHNlvg4WxtWb5rIJhfZMyeXUE0=&amp;quot;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]&lt;br /&gt;
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== Resource Loading ==&lt;br /&gt;
&lt;br /&gt;
All resources &amp;amp;mdash; whether on the same origin or not &amp;amp;mdash; should be loaded over secure channels. Secure (HTTPS) websites that attempt to load active resources such as JavaScript insecurely will be blocked by browsers. As a result, users will experience degraded UIs and &amp;amp;ldquo;mixed content&amp;amp;rdquo; warnings. Attempts to load passive content (such as images) insecurely, although less risky, will still lead to degraded UIs and can allow active attackers to deface websites or phish users.&lt;br /&gt;
&lt;br /&gt;
Despite the fact that modern browsers make it evident that websites are loading resources insecurely, these errors still occur with significant frequency. To prevent this from occuring, developers should verify that all resources are loaded securely prior to deployment.&lt;br /&gt;
&lt;br /&gt;
=== Examples ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- HTTPS is a fantastic way to load a JavaScript resource --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempts to load over HTTP will be blocked and will generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-1.12.0.min.js&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Although passive content won&#039;t be blocked, it will still generate mixed content warnings --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;http://very.badssl.com/image.jpg&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== See Also ===&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Security/MixedContent MDN on Mixed Content]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Content Security Policy =&lt;br /&gt;
&lt;br /&gt;
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities. Due to the difficulty in retrofitting CSP into existing websites, CSP is mandatory for all new websites and is strongly recommended for all existing high-risk sites.&lt;br /&gt;
&lt;br /&gt;
The primary benefit of CSP comes from disabling the use of unsafe inline JavaScript. Inline JavaScript -- either reflected or stored -- means that improperly escaped user-inputs can generate code that is interpreted by the web browser as JavaScript. By using CSP to disable inline JavaScript, you can effectively eliminate almost all XSS attacks against your site.&lt;br /&gt;
&lt;br /&gt;
Note that disabling inline JavaScript means that &amp;lt;em&amp;gt;all&amp;lt;/em&amp;gt; JavaScript must be loaded from &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; src tags . Event handlers such as &amp;lt;em&amp;gt;onclick&amp;lt;/em&amp;gt; used directly on a tag will fail to work, as will JavaScript inside &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags but not loaded via &amp;lt;tt&amp;gt;src&amp;lt;/tt&amp;gt;. Furthermore, inline stylesheets using either &amp;lt;tt&amp;gt;&amp;amp;lt;style&amp;amp;gt;&amp;lt;/tt&amp;gt; tags or the &amp;lt;tt&amp;gt;style&amp;lt;/tt&amp;gt; attribute will also fail to load. As such, care must be taken when designing sites so that CSP becomes easier to implement.&lt;br /&gt;
&lt;br /&gt;
== Implementation Notes ==&lt;br /&gt;
&lt;br /&gt;
* Aiming for &amp;lt;tt&amp;gt;default-src: https:&amp;lt;/tt&amp;gt; is a great first goal, as it disables inline code and requires https.&lt;br /&gt;
* For existing websites with large codebases that would require too much work to disable inline scripts, &amp;lt;tt&amp;gt;default-src: https: &#039;unsafe-inline&#039;&amp;lt;/tt&amp;gt; is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.&lt;br /&gt;
* Sites that want to go further are recommended to start with a reasonably locked down policy such as &amp;lt;tt&amp;gt;default-src &#039;none&#039;; connect-src &#039;self&#039;; img-src &#039;self&#039;; script-src &#039;self&#039;; style-src &#039;self&#039;&amp;lt;/tt&amp;gt; and then add in remote sources as revealed during testing.&lt;br /&gt;
* In lieu of the preferred HTTP header, pages can instead include a &amp;lt;tt&amp;gt;&amp;amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;&amp;amp;hellip;&amp;quot;&amp;amp;gt;&amp;lt;/tt&amp;gt; tag. If they do, it should be the first &amp;lt;tt&amp;gt;&amp;amp;lt;meta&amp;amp;gt;&amp;lt;/tt&amp;gt; tag that appears inside &amp;lt;tt&amp;gt;&amp;amp;lt;head&amp;amp;gt;&amp;lt;/tt&amp;gt;.&lt;br /&gt;
* Care needs to be taken with &amp;lt;tt&amp;gt;blob:&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;data:&amp;lt;/tt&amp;gt; URIs, as these are not covered by &#039;self&#039; and need to be included in the CSP declaration&lt;br /&gt;
* Sites should ideally use the &amp;lt;tt&amp;gt;report-uri&amp;lt;/tt&amp;gt; directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.&lt;br /&gt;
* Prior to implementation, it is recommended to use the &amp;lt;tt&amp;gt;Content-Security-Policy-Report-Only&amp;lt;/tt&amp;gt; HTTP header, to see if any violations would have occured with that policy.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)&lt;br /&gt;
Content-Security-Policy: default-src https:&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;-- Do the same thing, but with a &amp;lt;meta&amp;gt; tag --&amp;amp;gt;&lt;br /&gt;
&amp;lt;meta http-equiv=&amp;quot;Content-Security-Policy&amp;quot; content=&amp;quot;default-src https:&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable the use of unsafe inline/eval, allow everything else&lt;br /&gt;
Content-Security-Policy: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur&lt;br /&gt;
Content-Security-Policy: default-src &#039;self&#039;; font-src &#039;https://fonts.googleapis.com&#039;; img-src &#039;self&#039; https://i.imgur.com&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https&lt;br /&gt;
Content-Security-Policy: default-src https: &#039;unsafe-eval&#039; &#039;unsafe-inline&#039;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Don&#039;t implement the above policy yet; instead just report violations that would have occured&lt;br /&gt;
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]&lt;br /&gt;
* [http://www.cspplayground.com/ Content Security Policy Playground]&lt;br /&gt;
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= contribute.json =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is a Mozilla standard used to describe all active Mozilla websites and projects.&lt;br /&gt;
&lt;br /&gt;
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, &amp;lt;tt&amp;gt;contribute.json&amp;lt;/tt&amp;gt; is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.&lt;br /&gt;
&lt;br /&gt;
Require subkeys include &amp;lt;tt&amp;gt;name&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;description&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;bugs&amp;lt;/tt&amp;gt;, &amp;lt;tt&amp;gt;participate&amp;lt;/tt&amp;gt; (particularly &amp;lt;tt&amp;gt;irc&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;irc-clients&amp;lt;/tt&amp;gt;), and &amp;lt;tt&amp;gt;urls&amp;lt;/tt&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;p style=&amp;quot;border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;&amp;quot;&amp;gt;{&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;name&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;Bedrock&amp;quot;,&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;description&amp;lt;/b&amp;gt;&amp;quot;: &amp;quot;The app powering www.mozilla.org.&amp;quot;,&lt;br /&gt;
    &amp;quot;repository&amp;quot;: {&lt;br /&gt;
        &amp;quot;url&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://github.com/mozilla/bedrock&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;license&amp;quot;: &amp;quot;MPL2&amp;quot;,&lt;br /&gt;
        &amp;quot;tests&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://travis-ci.org/mozilla/bedrock/&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;participate&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;home&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;docs&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;http://bedrock.readthedocs.org/&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mailing-list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org/about/forums/#dev-mozilla-org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc&amp;lt;/b&amp;gt;&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;irc://irc.mozilla.org/#www&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;&amp;lt;b&amp;gt;irc-contacts&amp;lt;/b&amp;gt;&amp;quot;: [&lt;br /&gt;
            &amp;quot;someperson1&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson2&amp;quot;,&lt;br /&gt;
            &amp;quot;someperson3&amp;quot;&lt;br /&gt;
        ]&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;bugs&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;list&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;report&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;mentored&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&amp;amp;o1=isnotempty&lt;br /&gt;
                       &amp;amp;query_format=advanced&amp;amp;bug_status=NEW&amp;amp;product=www.mozilla.org&amp;amp;list_id=10866041&amp;quot;&amp;lt;/nowiki&amp;gt;&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;&amp;lt;b&amp;gt;urls&amp;lt;/b&amp;gt;&amp;quot;: {&lt;br /&gt;
        &amp;quot;prod&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.mozilla.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;stage&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;dev&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-dev.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
        &amp;quot;demo1&amp;quot;: &amp;lt;nowiki&amp;gt;&amp;quot;https://www-demo1.allizom.org&amp;quot;&amp;lt;/nowiki&amp;gt;,&lt;br /&gt;
    },&lt;br /&gt;
    &amp;quot;keywords&amp;quot;: [&lt;br /&gt;
        &amp;quot;python&amp;quot;,&lt;br /&gt;
        &amp;quot;less-css&amp;quot;,&lt;br /&gt;
        &amp;quot;django&amp;quot;,&lt;br /&gt;
        &amp;quot;html5&amp;quot;,&lt;br /&gt;
        &amp;quot;jquery&amp;quot;&lt;br /&gt;
    ]&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/p&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.contributejson.org/ The contribute.json Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cookies =&lt;br /&gt;
&lt;br /&gt;
All cookies should be created such that their access is as limited as possible. This can help minimize damage from cross-site scripting (XSS) vulnerabilities, as these cookies often contain session identifiers or other sensitive information.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt;: All cookies must be set with the &amp;lt;tt&amp;gt;Secure&amp;lt;/tt&amp;gt; flag, indicating that they should only be sent over HTTPS&lt;br /&gt;
* &amp;lt;tt&amp;gt;HttpOnly:&amp;lt;/tt&amp;gt; Cookies that don&#039;t require access from JavaScript should be set with the &amp;lt;tt&amp;gt;HttpOnly&amp;lt;/tt&amp;gt; flag&lt;br /&gt;
* Expiration: Cookies should expire as soon as is necessary: session identifiers in particular should expire quickly&lt;br /&gt;
** &amp;lt;tt&amp;gt;Expires:&amp;lt;/tt&amp;gt; Sets an absolute expiration date for a given cookie&lt;br /&gt;
** &amp;lt;tt&amp;gt;Max-Age:&amp;lt;/tt&amp;gt; Sets a relative expiration date for a given cookie (not supported by IE &amp;lt;8)&lt;br /&gt;
* &amp;lt;tt&amp;gt;Domain:&amp;lt;/tt&amp;gt; Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible&lt;br /&gt;
* &amp;lt;tt&amp;gt;Path:&amp;lt;/tt&amp;gt; Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory&lt;br /&gt;
&lt;br /&gt;
== Experimental Directives ==&lt;br /&gt;
&lt;br /&gt;
* Name: Cookie names may be either be prepended with either &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; to prevent cookies from being overwritten by insecure sources&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Host-&amp;lt;/tt&amp;gt; for all cookies set to an individual host (no Domain parameter) and with no Path parameter&lt;br /&gt;
** Use &amp;lt;tt&amp;gt;__Secure-&amp;lt;/tt&amp;gt; for all other cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier cookie only accessible on this host that gets purged when the user closes their browser&lt;br /&gt;
Set-Cookie: MOZSESSIONID=980e5da39d4b472b9f504cac9; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Session identifier for all mozilla.org sites that expires in 30 days using the experimental __Secure- prefix&lt;br /&gt;
Set-Cookie: __Secure-MOZSESSIONID=7307d70a86bd4ab5a00499762; Max-Age=2592000; Domain=mozilla.org; Path=/; Secure; HttpOnly&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Sets a long-lived cookie for the current host, accessible by Javascript, when the user accepts the ToS&lt;br /&gt;
Set-Cookie: __Host-ACCEPTEDTOS=true; Expires=Fri, 31 Dec 9999 23:59:59 GMT; Path=/; Secure&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]&lt;br /&gt;
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Cross-origin Resource Sharing =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest.  &amp;lt;tt&amp;gt;crossorigin.xml&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;clientaccesspolicy.xml&amp;lt;/tt&amp;gt; provide similar functionality, but for Flash and Silverlight-based applications, respectively.&lt;br /&gt;
&lt;br /&gt;
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, &amp;lt;em&amp;gt;only&amp;lt;/em&amp;gt; the API resources should return the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Failure to do so will allow foreign origins to read the contents of any page on your origin.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow any site to read the contents of this JavaScript library, so that subresource integrity works&lt;br /&gt;
Access-Control-Allow-Origin: *&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Allow https://random-dashboard.mozilla.org to read the returned results of this API&lt;br /&gt;
Access-Control-Allow-Origin: https://random-dashboard.mozilla.org&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Allow Flash from https://random-dashboard.mozilla.org to read page contents --&amp;amp;gt;&lt;br /&gt;
&amp;lt;cross-domain-policy xsi:noNamespaceSchemaLocation=&amp;quot;http://www.adobe.com/xml/schemas/PolicyFile.xsd&amp;quot;&amp;gt;&lt;br /&gt;
  &amp;lt;allow-access-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;site-control permitted-cross-domain-policies=&amp;quot;master-only&amp;quot;/&amp;gt;&lt;br /&gt;
  &amp;lt;allow-http-request-headers-from domain=&amp;quot;random-dashboard.mozilla.org&amp;quot; headers=&amp;quot;*&amp;quot; secure=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
&amp;lt;/cross-domain-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- The same thing, but for Silverlight--&amp;amp;gt;&lt;br /&gt;
&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;utf-8&amp;quot;?&amp;gt;&lt;br /&gt;
&amp;lt;access-policy&amp;gt;&lt;br /&gt;
  &amp;lt;cross-domain-access&amp;gt;&lt;br /&gt;
    &amp;lt;policy&amp;gt;&lt;br /&gt;
      &amp;lt;allow-from http-request-headers=&amp;quot;*&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;domain uri=&amp;quot;https://random-dashboard.mozilla.org&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/allow-from&amp;gt;&lt;br /&gt;
      &amp;lt;grant-to&amp;gt;&lt;br /&gt;
        &amp;lt;resource path=&amp;quot;/&amp;quot; include-subpaths=&amp;quot;true&amp;quot;/&amp;gt;&lt;br /&gt;
      &amp;lt;/grant-to&amp;gt;&lt;br /&gt;
    &amp;lt;/policy&amp;gt;&lt;br /&gt;
  &amp;lt;/cross-domain-access&amp;gt;&lt;br /&gt;
&amp;lt;/access-policy&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS MDN on HTTP access control (CORS)]&lt;br /&gt;
* [https://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html Adobe on Setting crossdomain.xml]&lt;br /&gt;
* [https://msdn.microsoft.com/library/cc197955%28v=vs.95%29.aspx Microsoft on Setting clientaccesspolicy.xml]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= CSRF Prevention =&lt;br /&gt;
&lt;br /&gt;
Cross-site request forgeries are a class of attacks where unauthorized commands are transmitted to a website from a trusted user. Because they inherit the users cookies (and hence session information), they appear to be validly issued commands. A CSRF attack might like this:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Attempt to delete a user&#039;s account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;img src=&amp;quot;https://accounts.mozilla.org/management/delete?confirm=true&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
When a user visits a page with that HTML fragment, the browser will attempt to make a GET request to that URL. If the user is logged in, the browser will provide their session cookies and the account deletion attempt will be successful.&lt;br /&gt;
&lt;br /&gt;
While there are a variety of mitigation strategies such as Origin/Referrer checking and challenge-response systems (such as [https://en.wikipedia.org/wiki/CAPTCHA CAPTCHA]), the most common and transparent method of CSRF mitigation is through the use of anti-CSRF tokens. Anti-CSRF tokens prevent CSRF attacks by requiring the existence of a secret, unique, and unpredictable token on all destructive changes. These tokens can be set for an entire user session, rotated on a regular basis, or be created uniquely for each request.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- A secret anti-CSRF token, included in the form to delete an account --&amp;amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;csrftoken&amp;quot; value=&amp;quot;1df93e1eafa42012f9a8aff062eeb1db0380b&amp;quot;&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Server-side: set an anti-CSRF cookie that JavaScript must send as an X header&lt;br /&gt;
Set-Cookie: CSRFTOKEN=1df93e1eafa42012f9a8aff062eeb1db0380b; Path=/; Secure&lt;br /&gt;
&lt;br /&gt;
// Client-side, have JavaScript add it as an X header to the XMLHttpRequest&lt;br /&gt;
var token = readCookie(CSRFTOKEN);                   // read the cookie&lt;br /&gt;
httpRequest.setRequestHeader(&#039;X-CSRF-Token&#039;, token); // add it as an X-CSRF-Token header&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]&lt;br /&gt;
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= robots.txt =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventing the pollution of search results, for resources that don&#039;t benefit from being searchable.&lt;br /&gt;
&lt;br /&gt;
Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as &amp;lt;tt&amp;gt;robots.txt&amp;lt;/tt&amp;gt; is frequently used for reconnaisance.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Stop all search engines from archiving this site&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Using robots.txt to hide certain directories is a terrible idea&lt;br /&gt;
User-agent: *&lt;br /&gt;
Disallow: /secret/admin-interface&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [http://www.robotstxt.org/robotstxt.html About robots.txt]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Subresource Integrity =&lt;br /&gt;
&lt;br /&gt;
Subresource integrity is a recent W3C standard that protects against attackers modifying the contents of JavaScript libraries hosted on content delivery networks (CDNs) in order to create vulnerabilities in all websites that make use of that hosted library.&lt;br /&gt;
&lt;br /&gt;
For example, JavaScript code on jquery.org that is loaded from mozilla.org has access to the entire contents of everything of mozilla.org. If this resource was successfully attacked, it could modify download links, deface the site, steal credentials, cause denial-of-service attacks, and more.&lt;br /&gt;
&lt;br /&gt;
Subresource integrity locks an external JavaScript resource to its known contents at a specific point in time. If the file is modified at any point thereafter, supporting web browsers will refuse to load it. As such, the use of subresource integrity is mandatory for all external JavaScript resources loaded from sources not hosted on Mozilla-controlled systems.&lt;br /&gt;
&lt;br /&gt;
Note that CDNs must support the Cross Origin Resource Sharing (CORS) standard by setting the &amp;lt;tt&amp;gt;Access-Control-Allow-Origin&amp;lt;/tt&amp;gt; header. Most CDNs already do this, but if the CDN you are loading does not support CORS, please contact Mozilla Information Security. We are happy to contact the CDN on your behalf.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;integrity:&amp;lt;/tt&amp;gt; a cryptographic hash of the file, prepended with the hash function used to generate it&lt;br /&gt;
* &amp;lt;tt&amp;gt;crossorigin:&amp;lt;/tt&amp;gt; should be &amp;lt;tt&amp;gt;anonymous&amp;lt;/tt&amp;gt; to inform browsers to send anonymous requests without cookies&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load jQuery 2.1.4 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://code.jquery.com/jquery-2.1.4.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-R4/ztc4ZlRqWjqIuvf6RX5yb/v90qNGx6fS48N0tRxiGkqveZETq72KgDVJCp2TC&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&amp;amp;lt;!-- Load AngularJS 1.4.8 from their CDN --&amp;amp;gt;&lt;br /&gt;
&amp;lt;script src=&amp;quot;https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js&amp;quot;&lt;br /&gt;
  integrity=&amp;quot;sha384-r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;quot;&lt;br /&gt;
  crossorigin=&amp;quot;anonymous&amp;quot;&amp;gt;&amp;lt;/script&amp;gt;&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Generate the hash myself&lt;br /&gt;
$ curl -s https://ajax.googleapis.com/ajax/libs/angularjs/1.4.8/angular.min.js | \&lt;br /&gt;
    openssl dgst -sha384 -binary | \&lt;br /&gt;
    openssl base64 -A&lt;br /&gt;
&lt;br /&gt;
r1y8TJcloKTvouxnYsi4PJAx+nHNr90ibsEn3zznzDzWBN9X3o3kbHLSgcIPtzAp&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://www.srihash.org/ SRI Hash Generator] - generates &amp;lt;tt&amp;gt;&amp;amp;lt;script&amp;amp;gt;&amp;lt;/tt&amp;gt; tags for you, and informs you if the CDN lacks CORS support&lt;br /&gt;
* [https://w3c.github.io/webappsec-subresource-integrity/ Subresource Integrity W3C Standard]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Content-Type-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the &amp;lt;tt&amp;gt;X-Content-Type-Options&amp;lt;/tt&amp;gt; header and the appropriate MIME types for files that they serve.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Prevent IE and Chrome from incorrectly detecting non-scripts as scripts&lt;br /&gt;
X-Content-Type-Options: nosniff&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-Frame-Options =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-Frame-Options&amp;lt;/tt&amp;gt; is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.&lt;br /&gt;
&lt;br /&gt;
Sites that require the ability to be iframed must either use the &amp;lt;tt&amp;gt;ALLOW-FROM&amp;lt;/tt&amp;gt; directive or employ JavaScript defenses to prevent clickjacking from malicious origins.&lt;br /&gt;
&lt;br /&gt;
== Directives ==&lt;br /&gt;
&lt;br /&gt;
* &amp;lt;tt&amp;gt;DENY&amp;lt;/tt&amp;gt;: disallow allow attempts to iframe site (recommended)&lt;br /&gt;
* &amp;lt;tt&amp;gt;SAMEORIGIN&amp;lt;/tt&amp;gt;: allow the site to iframe itself&lt;br /&gt;
* &amp;lt;tt&amp;gt;ALLOW-FROM &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt;&amp;lt;/tt&amp;gt;: allow &amp;lt;em&amp;gt;uri&amp;lt;/em&amp;gt; to iframe site (not supported in Chrome and Safari)&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block site from being iframed&lt;br /&gt;
X-Frame-Options: DENY&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Only allow my site to frame itself&lt;br /&gt;
X-Frame-Options: SAMEORIGIN&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
== See Also ==&lt;br /&gt;
&lt;br /&gt;
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]&lt;br /&gt;
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= X-XSS-Protection =&lt;br /&gt;
&lt;br /&gt;
&amp;lt;tt&amp;gt;X-XSS-Protection&amp;lt;/tt&amp;gt; is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;# Block pages from loading when they detect reflected XSS attacks&lt;br /&gt;
X-XSS-Protection: 1; mode=block&amp;lt;/pre&amp;gt;&lt;br /&gt;
&amp;lt;/div&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Version History =&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; style=&amp;quot;width: 100%;&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Version&lt;br /&gt;
! scope=&amp;quot;col&amp;quot; style=&amp;quot;width: 6em;&amp;quot; | Editor&lt;br /&gt;
! Changes&lt;br /&gt;
|-&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | 1.0&lt;br /&gt;
| align=&amp;quot;center&amp;quot; | April&lt;br /&gt;
| Initial document creation&lt;br /&gt;
|}&lt;/div&gt;</summary>
		<author><name>Apking</name></author>
	</entry>
</feed>