Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 20:15, 24 February 2016
, 24 February 2016buncha tweaks
(more chart tweaks) |
(buncha tweaks) |
||
| Line 11: | Line 11: | ||
<ul style="padding-right: 1em;"> | <ul style="padding-right: 1em;"> | ||
<li>[[#Web Security Cheat Sheet|1 Cheat Sheet]] | <li>[[#Web Security Cheat Sheet|1 Cheat Sheet]] | ||
<li>[[#Transport Layer Security|2 Transport Layer Security]] | <li>[[#Transport Layer Security (TLS/SSL)|2 Transport Layer Security (TLS/SSL)]] | ||
<li> | <li> | ||
<ul> | <ul> | ||
| Line 176: | Line 176: | ||
<div style="max-width: 75em;"> | <div style="max-width: 75em;"> | ||
= Transport Layer Security = | = Transport Layer Security (TLS/SSL) = | ||
Transport Layer Security provides assurances about the confidentiality, authentication, and integrity of all communications both inside and outside of Mozilla. To protect our users and networked systems, the support and use of encrypted communications using TLS is mandatory for all systems. | |||
== HTTPS == | == HTTPS == | ||
Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]]. | Websites or API endpoints that only communicate with modern browsers and systems should use the [[Security/Server Side TLS#Modern compatibility|Mozilla modern TLS configuration]]. | ||
| Line 456: | Line 457: | ||
= Cross-origin Resource Sharing = | = Cross-origin Resource Sharing = | ||
<tt>Access-Control-Allow-Origin</tt> is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest. <tt> | <tt>Access-Control-Allow-Origin</tt> is an HTTP header that defines which foreign origins are allowed to access the content of pages on your domain via scripts using methods such as XMLHttpRequest. <tt>crossdomain.xml</tt> and <tt>clientaccesspolicy.xml</tt> provide similar functionality, but for Flash and Silverlight-based applications, respectively. | ||
These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, <em>only</em> the API resources should return the <tt>Access-Control-Allow-Origin</tt> header. Failure to do so will allow foreign origins to read the contents of any page on your origin. | These should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function. For example, if your server provides both a website and an API intended for XMLHttpRequest access on a remote websites, <em>only</em> the API resources should return the <tt>Access-Control-Allow-Origin</tt> header. Failure to do so will allow foreign origins to read the contents of any page on your origin. | ||