Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 21:13, 5 January 2016
, 5 January 2016Colorized cheat sheet
(added cheat sheet) |
(Colorized cheat sheet) |
||
| Line 266: | Line 266: | ||
= robots.txt = | = robots.txt = | ||
<tt>robots.txt</tt> is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. | <tt>robots.txt</tt> is a text file placed within the root directory of a site that tells robots (such as indexers employed by search engines) how to behave, by instructing them not to index certain paths on the website. This is particularly useful for reducing load on your website, though disabling the indexing of automatically generated content. It can also be helpful for preventation the pollution of search results, for resources that don't benefit from being searchable. | ||
Sites may optionally use robots.txt, but should only use it for | Sites may optionally use robots.txt, but should only use it for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. Although this does prevent these sites from appearing in search engines, it does not prevent its discovery from attackers, as <tt>robots.txt</tt> is frequently used for reconnaisance. | ||
== Examples == | == Examples == | ||
| Line 378: | Line 378: | ||
= Web Security Cheat Sheet = | = Web Security Cheat Sheet = | ||
{| class="wikitable" | {| class="wikitable" style="width: 100%;" | ||
|- | |- | ||
! Guideline | ! Guideline | ||
! Requirements | ! Requirements | ||
! Notes | ! Notes | ||
|- | |- style="background-color: #9EDB58;" | ||
| HTTPS | | HTTPS | ||
| Mandatory | | Mandatory | ||
| | | Use the most secure TLS configuration for your userbase | ||
|- | |- style="background-color: #9EDB58;" | ||
| HTTP Strict Transport Security | | HTTP Strict Transport Security | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Minimum allowed time period of six months | | Minimum allowed time period of six months | ||
|- | |- style="background-color: #9EDB58;" | ||
| HTTP Redirections | | HTTP Redirections | ||
| Mandatory | | Mandatory | ||
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | | Websites must redirect to HTTPS, API endpoints should disable HTTP entirely | ||
|- | |- style="background-color: #E99696;" | ||
| HTTP Public Key Pinning | | HTTP Public Key Pinning | ||
| Mandatory for critical risk sites | | Mandatory for critical risk sites only | ||
| Not recommended for most sites | | Not recommended for most sites | ||
|- | |- style="background-color: #E8E27A;" | ||
| Content Security Policy | | Content Security Policy | ||
| Mandatory for new websites<br>Recommended for existing websites | | Mandatory for new websites<br>Recommended for existing websites | ||
| Disabling inline script is the highest priority for CSP | | Disabling inline script is the highest priority for CSP | ||
|- | |- style="background-color: #9EDB58;" | ||
| Cookies | | Cookies | ||
| Mandatory | | Mandatory | ||
| All cookies must be set with Secure, and as | | All cookies must be set with Secure, and set as restrictively as possible | ||
|- | |- style="background-color: #9EDB58;" | ||
| Cross-origin Resource Sharing | | Cross-origin Resource Sharing | ||
| Mandatory | | Mandatory | ||
| Origin sharing headers and files should not be present, except for specific use cases | | Origin sharing headers and files should not be present, except for specific use cases | ||
|- | |- style="background-color: #9EDB58;" | ||
| Cross-site Request Forgery | | Cross-site Request Forgery<br>Tokenization | ||
| | | Mandatory for certain websites | ||
| Mandatory for | | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites | ||
|- | |- style="background-color: #CCCCCC;" | ||
| robots.txt | | robots.txt | ||
| Optional | | Optional | ||
| | | Websites that implement robots.txt must use it only for noted purposes | ||
|- | |- style="background-color: #9EDB58;" | ||
| Subresource Integrity | | Subresource Integrity | ||
| Mandatory | | Mandatory | ||
| Mandatory for all websites that load JavaScript | | Mandatory for all websites that load JavaScript or stylesheets from non-Mozilla sources | ||
|- | |- style="background-color: #9EDB58;" | ||
| X-Content-Type-Options | | X-Content-Type-Options | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Websites should verify that they are setting the proper MIME types for all resources | | Websites should verify that they are setting the proper MIME types for all resources | ||
|- | |- style="background-color: #9EDB58;" | ||
| X-Frame-Options | | X-Frame-Options | ||
| Mandatory for all websites | | Mandatory for all websites | ||
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | | Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses | ||
|- | |- style="background-color: #E8E27A;" | ||
| X-XSS-Protection | | X-XSS-Protection | ||
| Mandatory for all new websites<br>Recommended for existing websites | | Mandatory for all new websites<br>Recommended for existing websites | ||
| Manual testing should be done for existing websites, prior to implementation | | Manual testing should be done for existing websites, prior to implementation | ||
|} | |} | ||