Add Observatory docs to MDN #33793
Add Observatory docs to MDN #33793
Conversation
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…lls/content into add-observatory-docs-to-mdn
files/en-us/web/security/practical_implementation/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/referrer_policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/referrer_policy/index.md
Outdated
Show resolved
Hide resolved
…/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…x.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…x.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…icy/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…icy/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
|
||
| You are advised to use both strategies for websites that allow destructive changes such as account deletion. Anti-CRSF tokens are arguably unnecessary for other sites, although it is still advised to have `SameSite` set to a non-`None` value to help protect the user's [Privacy](/en-US/docs/Web/Privacy). | ||
|
|
||
| Most application frameworks have built-in CSRF tokenization to ease implementation. |
There was a problem hiding this comment.
I would add something like: "Make sure to check if your application frameworks have built-in CSRF protections. If that is the case, always use these and don't try to re-invent the wheel."
There was a problem hiding this comment.
Good idea. I ended up modifying the paragraph to:
Most application frameworks have built-in CSRF tokenization to ease implementation. Make sure to choose one that does, and don't try to reinvent the wheel.
| - `None` | ||
| - : Specifies that cookies are sent on both originating and cross-site requests. | ||
|
|
||
| You should set the strongest `SameSite` level that you can for your site to still work. Ideally never set `None` unless you really need to. Bear in mind that `Lax` is the default value if the header is not specified. |
There was a problem hiding this comment.
The OWASP cheatsheets are warning users when using SameSite cookies: “SameSite Cookie Attribute can be used for session cookies but be careful to NOT set a cookie specifically for a domain. This action introduces a security vulnerability because all subdomains of that domain will share the cookie, and this is particularly an issue if a subdomain has a CNAME to domains not in your control”. Should we integrate a similar warning in our doc as well?
There was a problem hiding this comment.
I started writing a note about it, and ended up with this:
Note:
SameSitecan be used for session cookies but DO NOT set a cookie across an entire domain. This introduces a security vulnerability because all subdomains of that domain will share the cookie. This is particularly an issue if a subdomain has a CNAME to domains not under your control.
But I'm not really sure I understand the logic behind it. Is this an issue only with setting SameSite cookies, and if so, why does SameSite cause this additional vulnerability? Or is it an issue with cookies in general, in which case might belong on the secure cookies page instead.
There was a problem hiding this comment.
This was more a question than a suggestion so I agree, I don't see the value of this warning in that context! No need to change anything, thanks!
|
|
||
| [Clickjacking](/en-US/docs/Glossary/Clickjacking) is an attack whereby malicious sites trick users into clicking links or UI elements by making them appear like a trusted site the user is familiar with. This is usually done by embedding part or all of the trusted site into the malicious site via an `<iframe>`. A button, link, or other UI feature is then positioned on top of that content to make the user think they are interacting with their trusted site, when in fact they are interacting with the malicious site. | ||
|
|
||
| ## Solution |
There was a problem hiding this comment.
For Clickjacking attacks that rely on the victim to be authenticated, another protection is to make sure SameSite cookies are set.
There was a problem hiding this comment.
Makes sense. I've added information about it on this page, and the secure cookies page.
|
|
||
| [Clickjacking](/en-US/docs/Glossary/Clickjacking) is an attack whereby malicious sites trick users into clicking links or UI elements by making them appear like a trusted site the user is familiar with. This is usually done by embedding part or all of the trusted site into the malicious site via an `<iframe>`. A button, link, or other UI feature is then positioned on top of that content to make the user think they are interacting with their trusted site, when in fact they are interacting with the malicious site. | ||
|
|
||
| ## Solution |
There was a problem hiding this comment.
We should add a window.confirm() protection option as well: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html#windowconfirm-protection
There was a problem hiding this comment.
I've added mention of it to the bottom paragraph, as it is relevant there.
| Content-Security-Policy: frame-ancestors https://example.org | ||
| # Block embedding in browsers that don't support CSP2 | ||
| X-Frame-Options: DENY | ||
| ``` |
There was a problem hiding this comment.
Let's add a “See also” section with the following links:
There was a problem hiding this comment.
Good recommendations, thanks! Added in next commit.
| | [TLS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#tls_configuration) | Medium | Medium | Yes | Use the most secure [Transport Layer Security](/en-US/docs/Glossary/TLS) (TLS) configuration available for your user base. | | ||
| | [Resource loading](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#resource_loading) | Maximum | Low | Yes | Load both passive and active resources via HTTPS. | | ||
| | [HTTP redirection](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_redirections) | Maximum | Low | Yes | Websites must redirect to HTTPS; API endpoints should disable HTTP entirely. | | ||
| | [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, using HTTP Strict transport security (HSTS). | |
There was a problem hiding this comment.
I saw your previous comment about this one. WDYT about:
| | [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, using HTTP Strict transport security (HSTS). | | |
| | [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Use HTTP Strict transport security (HSTS) to notify browsers to connect to sites only over HTTPS, even if the original scheme chosen was HTTP. | |
There was a problem hiding this comment.
I know your version is strictly speaking more grammatically correct, but "... to ... to ... to ..." is a bit horrible to read.
There was a problem hiding this comment.
Ah, didn't notice the close proximity of "to"s but doesn't seem too bad to me readability-wise
files/en-us/web/security/practical_implementation_guides/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/cors/index.md
Outdated
Show resolved
Hide resolved
|
|
||
| The guides are listed in the order that we recommend they are implemented. This order is based on a combination of security impact and ease of implementation from an operational and developmental perspective. | ||
|
|
||
| | Guide | Impact | Difficulty | Required | Summary | |
There was a problem hiding this comment.
My preference is to use only the acronym in the sidebar (short-title) and the expanded title on the page, so:
title: Cross-Origin Resource Sharing (CORS) configuration
short-title: CORS configuration
One of the things this can help with is that when you're on the landing page, you can quickly match up the guides from the table's first column to those in the sidebar. At the moment, you need to parse the titles in the sidebar a bit.
With both the expanded form and acronym in the page title, the page will still be searchable in the "Quick Search" field using either the long form or acronym.
But I'll leave it to you to make the call. The glossary pages have acronyms in the sidebar - I don't know if we have a strict guideline or any guideline around this.
|
This pull request has merge conflicts that must be resolved before it can be merged. |
@dipikabh the problem with this is that short titles don't work with this type of sidebar (I think they only work in API sidebars). I tried this out the first time around when I noticed the titles were a bit long in the sidebar. |
files/en-us/web/security/practical_implementation_guides/csrf_prevention/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/tls/index.md
Outdated
Show resolved
Hide resolved
…prevention/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…ndex.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
files/en-us/web/security/practical_implementation_guides/csp/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/robots_txt/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/tls/index.md
Outdated
Show resolved
Hide resolved
| | [TLS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#tls_configuration) | Medium | Medium | Yes | Use the most secure [Transport Layer Security](/en-US/docs/Glossary/TLS) (TLS) configuration available for your user base. | | ||
| | [Resource loading](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#resource_loading) | Maximum | Low | Yes | Load both passive and active resources via HTTPS. | | ||
| | [HTTP redirection](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_redirections) | Maximum | Low | Yes | Websites must redirect to HTTPS; API endpoints should disable HTTP entirely. | | ||
| | [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, using HTTP Strict transport security (HSTS). | |
There was a problem hiding this comment.
Ah, didn't notice the close proximity of "to"s but doesn't seem too bad to me readability-wise
There was a problem hiding this comment.
Preview pages for the last few files did not update, I am guessing because of an incomplete check (check-redirects).
I'm going by your updates/responses and the overall content is looking in good shape. Leaving my +1 here. Let me know if you need me to check anything again. Thanks @chrisdavidmills!
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. | ||
|
|
||
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent these sites from appearing in search engine results, it does not secure websites against attackers who can still determine such details because `robots.txt` is publicly accessible. |
There was a problem hiding this comment.
Nit: WDYT about moving around the sentences a bit. The part that it doesn't secure websites should stand out on it's own, possibly can even be highlighted as a note.
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. | |
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent these sites from appearing in search engine results, it does not secure websites against attackers who can still determine such details because `robots.txt` is publicly accessible. | |
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. Using this file is optional and sites should use it only for these purposes. Don't use `robots.txt` as a way to prevent the disclosure of private information or to hide portions of a website. | |
| While using this file can prevent these sites from appearing in search engine results, it does not secure websites against attackers who can still determine such details because `robots.txt` is publicly accessible. |
|
|
||
| ## See also | ||
|
|
||
| - [About /robots.txt](https://www.robotstxt.org/robotstxt.html) on `robotstxt.org`. |
There was a problem hiding this comment.
| - [About /robots.txt](https://www.robotstxt.org/robotstxt.html) on `robotstxt.org`. | |
| - [About /robots.txt](https://www.robotstxt.org/robotstxt.html) on `robotstxt.org` |
| - `Domain` | ||
| - : Cookies should only have a `Domain` set if they need to be accessible on other domains; this should be set to the most restrictive domain possible. | ||
| - `Path` | ||
| - : Cookies should be set to the most restrictive `Path` possible; for most applications, this will be set to the root directory. |
There was a problem hiding this comment.
| - : Cookies should be set to the most restrictive `Path` possible; for most applications, this will be set to the root directory. | |
| - : Cookies should be set to the most restrictive `Path` possible. |
This line is a bit confusing as it starts by saying to set Path to the most restrictive value, but then follows by saying that most of the time it's set to the root directory which is the least restrictive value.
|
|
||
| ## Problem | ||
|
|
||
| Cookies often contain session identifiers or other sensitive information. Unwanted access to cookies, therefore, can cause a host of problems, including [privacy](/en-US/docs/Web/Privacy) issues, ({{Glossary("Cross-site_scripting", "Cross-site scripting (XSS)")}}) attacks, Cross-site request forgery ([CSRF](/en-US/docs/Glossary/CSRF)) attacks, and more. |
There was a problem hiding this comment.
This phrase
Unwanted access to cookies, therefore, can cause a host of problem
is confusing to me. Maybe change Unwanted to Unauthorized?
| - `Path` | ||
| - : Cookies should be set to the most restrictive `Path` possible; for most applications, this will be set to the root directory. | ||
| - `SameSite` | ||
| - : Forbid sending the cookie via cross-origin requests (for example from {{htmlelement("img")}} element), as a strong [anti-CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) measure. `SameSite` is also useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks, in cases that rely on the user being authenticated. You should use one of the following two values: |
There was a problem hiding this comment.
| - : Forbid sending the cookie via cross-origin requests (for example from {{htmlelement("img")}} element), as a strong [anti-CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) measure. `SameSite` is also useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks, in cases that rely on the user being authenticated. You should use one of the following two values: | |
| - : Forbid sending the cookie via cross-origin requests (for example from an {{htmlelement("img")}} element), as a strong [anti-CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) measure by setting `SameSite` to `Strict`. `SameSite` is also useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks, in cases that rely on the user being authenticated. You should use one of the following two values: |
| Disallow: / | ||
| ``` | ||
|
|
||
| Hide certain directories (this is not recommended): |
There was a problem hiding this comment.
Can we add details as to why it's bad to hide certain directories from a crawler but not the entire site? I don't know the "why" behind this.
|
|
||
| ## Problem | ||
|
|
||
| Attackers can modify the contents of JavaScript libraries hosted on content delivery networks (CDNs), creating vulnerabilities in all websites that use these libraries. |
There was a problem hiding this comment.
| Attackers can modify the contents of JavaScript libraries hosted on content delivery networks (CDNs), creating vulnerabilities in all websites that use these libraries. | |
| If an attacker exploited a content delivery network (CDN) and modified the contents of JavaScript libraries hosted on that CDN, it would create vulnerabilities in all websites that use those libraries. |
|
|
||
| ### Solution | ||
|
|
||
| HTTP [`Strict-Transport-Security`](/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) is an HTTP header that notifies browsers to connect to a given site only over HTTPS, even if the originally specified scheme was HTTP. Browsers with HSTS set for a given site will automatically upgrade all requests to HTTPS. HSTS also tells browsers to treat TLS and certificate-related errors more strictly by disabling the ability to bypass the error page. |
There was a problem hiding this comment.
| HTTP [`Strict-Transport-Security`](/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) is an HTTP header that notifies browsers to connect to a given site only over HTTPS, even if the originally specified scheme was HTTP. Browsers with HSTS set for a given site will automatically upgrade all requests to HTTPS. HSTS also tells browsers to treat TLS and certificate-related errors more strictly by disabling the ability to bypass the error page. | |
| HTTP [`Strict-Transport-Security`](/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) is an HTTP header that notifies browsers to connect to a given site only over HTTPS, even if the originally specified scheme was HTTP. Browsers with HSTS set for a given site will automatically upgrade all requests to HTTPS for that site. HSTS also tells browsers to treat TLS and certificate-related errors more strictly by disabling the ability to bypass the certificate error page. |
| - `max-age` | ||
| - : Sets the duration, in seconds, for which browsers will redirect to HTTPS. | ||
| - `includeSubDomains` {{optional_inline}} | ||
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are upgraded. |
There was a problem hiding this comment.
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are upgraded. | |
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are also upgraded in addition to `domain.example.com`. |
| - `includeSubDomains` {{optional_inline}} | ||
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are upgraded. | ||
| - `preload` {{optional_inline}} | ||
| - : Specifies whether the site should be preloaded. Including this directive means your site will be included in the [HSTS preload list](https://hstspreload.org/). |
There was a problem hiding this comment.
| - : Specifies whether the site should be preloaded. Including this directive means your site will be included in the [HSTS preload list](https://hstspreload.org/). | |
| - : Specifies whether the site should be preloaded. Including this directive means your site can be included in the [HSTS preload list](https://hstspreload.org/). |
|
|
||
| 1. Set a `max-age` value of at least six months (`15768000`). Longer periods, such as two years (`63072000`), are recommended. Once this value is set, the site must continue to support HTTPS until the expiry time is reached. | ||
| 2. If possible, set `includeSubDomains` to improve security on all subdomains. Careful testing is needed when setting this directive because it could disable sites on subdomains that don't yet have HTTPS enabled. | ||
| 3. If possible, set `preload` to include your website in the [HSTS preload list](https://hstspreload.org/). Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initial `Strict-Transport-Security` header. This prevents [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requires `includeSubDomains` to be set and `max-age` to be set to a minimum of 1 year (`31536000`). |
There was a problem hiding this comment.
| 3. If possible, set `preload` to include your website in the [HSTS preload list](https://hstspreload.org/). Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initial `Strict-Transport-Security` header. This prevents [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requires `includeSubDomains` to be set and `max-age` to be set to a minimum of 1 year (`31536000`). | |
| 3. If possible, set `preload` to make it possible to include your website in the [HSTS preload list](https://hstspreload.org/). Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initial `Strict-Transport-Security` header. This prevents [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requires `includeSubDomains` to be set and `max-age` to be set to a minimum of 1 year (`31536000`). |
Just adding preload to your HSTS header doesn't add you to the preload list, you still have to submit your site to the form.
|
|
||
| {{QuickLinksWithSubpages("/en-US/docs/Web/Security")}} | ||
|
|
||
| Users frequently input sensitive data on websites, such as names, addresses, and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of [web security](/en-US/docs/Web/Security) is to help you protect your website against these exploits and secure your users' sensitive data. |
There was a problem hiding this comment.
| Users frequently input sensitive data on websites, such as names, addresses, and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of [web security](/en-US/docs/Web/Security) is to help you protect your website against these exploits and secure your users' sensitive data. | |
| Users frequently input sensitive data on websites, such as names, addresses, passwords and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of [web security](/en-US/docs/Web/Security) is to help you protect your website against these exploits and secure your users' sensitive data. |
Description
Mozilla Observatory is being moved to MDN. This PR adds the accompanying cheat sheet docs to MDN, and restructures the existing security docs to make space for them.
Motivation
Additional details
See mdn/mdn#548 for the MDN project tracking item.
Related issues and pull requests