Hello there! As a web developer, I always strive to ensure that the websites I build are as secure as possible.
Therefore, I put together a checklist 📋 of 9 crucial measures that have been mandated by Mozilla in their Web Security guidelines for all websites and/or web applications.
Web developers should implement all the items in this checklist to ensure their websites are optimally secured. 🛡️
Please refer to my blog post linked below for the description, implementation details and examples of each. 📚
BTW, I'd love suggestions from the community! If you have more items that should be added to this list or would like to suggest changes for the existing ones, please mention them in the comments below and I will update the article with due credits (Twitter/Dev). 😃
Hypertext Transfer Protocol Secure (HTTPS) encrypts data exchanged between the server and the client. It prevents man-in-the-middle attacks. In order to use HTTPS, you will need to get an SSL certificate for your domain. Read More
Installing an SSL certificate for your website is the first step, but not the last. In order to complete the procedure, we have one more step - set up a redirection from HTTP to HTTPS. Read More
Resources are the various kinds of media (images/videos), scripts, and style sheets that a website requires for its functioning. Loading your website’s resources over HTTP leaves it vulnerable to cyber attacks like Phishing. Apart from that, browsers like Chrome and Firefox will show Mixed Content warnings to your site’s visitors. Read More
HTTP Strict Transport Security (HSTS) is an HTTP header that allows user agents like browsers to only connect to a website over HTTPS. Read More
Content Security Policy (CSP) is used to specify the sources from where your website will fetch its resources. This information is used by web browsers to block requests for resources from sources, other than the ones specified by you. Read More
A cookie is a small file that stores information on the client’s machine. Other than tracking visitors’ web activity, cookies are used for session management. This is why securing your cookies is important for optimal web security. Mozilla has mandated the creation of HTTP cookies with the
Secure flag. Read More
Clickjacking is a type of attack performed on a victim website using iframes. Websites can protect themselves from getting framed (literally) by using either CSP
frame-ancestors directive or
X-Frame-Options header. Read More
This is exclusively for APIs. The
Access-Control-Allow-Origin header can be used to block unauthorized foreign access to resources on your origin/server. By using this header, you can state which origins you want to allow access to a particular resource, which is being requested. Read More
The post A Web Security Checklist For Creating Secure Websites appeared first on GeekyMinds.