Add Observatory docs to MDN #33793
Open
Add Observatory docs to MDN #33793
+1,041
−234
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…lls/content into add-observatory-docs-to-mdn
files/en-us/web/security/practical_implementation/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/clickjacking/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/cookies/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/referrer_policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation/referrer_policy/index.md
Outdated
Show resolved
Hide resolved
…/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…x.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…x.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…icy/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…icy/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
|
This pull request has merge conflicts that must be resolved before it can be merged. |
@dipikabh the problem with this is that short titles don't work with this type of sidebar (I think they only work in API sidebars). I tried this out the first time around when I noticed the titles were a bit long in the sidebar. |
files/en-us/web/security/practical_implementation_guides/csrf_prevention/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/tls/index.md
Outdated
Show resolved
Hide resolved
…prevention/index.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…ndex.md Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
dipikabh
reviewed
Jun 17, 2024
files/en-us/web/security/practical_implementation_guides/csp/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/security/practical_implementation_guides/robots_txt/index.md
Outdated
Show resolved
Hide resolved
dipikabh
reviewed
Jun 17, 2024
files/en-us/web/security/practical_implementation_guides/tls/index.md
Outdated
Show resolved
Hide resolved
| | [TLS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#tls_configuration) | Medium | Medium | Yes | Use the most secure [Transport Layer Security](/en-US/docs/Glossary/TLS) (TLS) configuration available for your user base. | | ||
| | [Resource loading](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#resource_loading) | Maximum | Low | Yes | Load both passive and active resources via HTTPS. | | ||
| | [HTTP redirection](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_redirections) | Maximum | Low | Yes | Websites must redirect to HTTPS; API endpoints should disable HTTP entirely. | | ||
| | [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, using HTTP Strict transport security (HSTS). | |
There was a problem hiding this comment.
Ah, didn't notice the close proximity of "to"s but doesn't seem too bad to me readability-wise
dipikabh
approved these changes
Jun 17, 2024
There was a problem hiding this comment.
Preview pages for the last few files did not update, I am guessing because of an incomplete check (check-redirects).
I'm going by your updates/responses and the overall content is looking in good shape. Leaving my +1 here. Let me know if you need me to check anything again. Thanks @chrisdavidmills!
dipikabh
reviewed
Jun 17, 2024
dipikabh
reviewed
Jun 18, 2024
Comment on lines
17
to
19
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. | ||
|
|
||
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent these sites from appearing in search engine results, it does not secure websites against attackers who can still determine such details because `robots.txt` is publicly accessible. |
There was a problem hiding this comment.
Nit: WDYT about moving around the sentences a bit. The part that it doesn't secure websites should stand out on it's own, possibly can even be highlighted as a note.
Suggested change
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. | |
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent these sites from appearing in search engine results, it does not secure websites against attackers who can still determine such details because `robots.txt` is publicly accessible. | |
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. Using this file is optional and sites should use it only for these purposes. Don't use `robots.txt` as a way to prevent the disclosure of private information or to hide portions of a website. | |
| While using this file can prevent these sites from appearing in search engine results, it does not secure websites against attackers who can still determine such details because `robots.txt` is publicly accessible. |
dipikabh
reviewed
Jun 18, 2024
files/en-us/web/security/practical_implementation_guides/robots_txt/index.md
Outdated
Show resolved
Hide resolved
gene1wood
reviewed
Jun 18, 2024
| - `Domain` | ||
| - : Cookies should only have a `Domain` set if they need to be accessible on other domains; this should be set to the most restrictive domain possible. | ||
| - `Path` | ||
| - : Cookies should be set to the most restrictive `Path` possible; for most applications, this will be set to the root directory. |
There was a problem hiding this comment.
Suggested change
| - : Cookies should be set to the most restrictive `Path` possible; for most applications, this will be set to the root directory. | |
| - : Cookies should be set to the most restrictive `Path` possible. |
This line is a bit confusing as it starts by saying to set Path to the most restrictive value, but then follows by saying that most of the time it's set to the root directory which is the least restrictive value.
There was a problem hiding this comment.
Agreed that this is confusingly-phased. I have made this change in my next commit.
|
|
||
| ## Problem | ||
|
|
||
| Cookies often contain session identifiers or other sensitive information. Unwanted access to cookies, therefore, can cause a host of problems, including [privacy](/en-US/docs/Web/Privacy) issues, ({{Glossary("Cross-site_scripting", "Cross-site scripting (XSS)")}}) attacks, Cross-site request forgery ([CSRF](/en-US/docs/Glossary/CSRF)) attacks, and more. |
There was a problem hiding this comment.
This phrase
Unwanted access to cookies, therefore, can cause a host of problem
is confusing to me. Maybe change Unwanted to Unauthorized?
There was a problem hiding this comment.
This is much clearer; updated. Thanks!
| - `Path` | ||
| - : Cookies should be set to the most restrictive `Path` possible; for most applications, this will be set to the root directory. | ||
| - `SameSite` | ||
| - : Forbid sending the cookie via cross-origin requests (for example from {{htmlelement("img")}} element), as a strong [anti-CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) measure. `SameSite` is also useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks, in cases that rely on the user being authenticated. You should use one of the following two values: |
There was a problem hiding this comment.
Suggested change
| - : Forbid sending the cookie via cross-origin requests (for example from {{htmlelement("img")}} element), as a strong [anti-CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) measure. `SameSite` is also useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks, in cases that rely on the user being authenticated. You should use one of the following two values: | |
| - : Forbid sending the cookie via cross-origin requests (for example from an {{htmlelement("img")}} element), as a strong [anti-CSRF](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) measure by setting `SameSite` to `Strict`. `SameSite` is also useful in protecting against [Clickjacking](/en-US/docs/Glossary/Clickjacking) attacks, in cases that rely on the user being authenticated. You should use one of the following two values: |
There was a problem hiding this comment.
I've made a couple of updates here, but I've not added "by setting SameSite to Strict" — the end of the paragraph and the following sub-bullets detail which values to use.
Are you saying you think it should always be set to Strict? I thought Lax was OK if Strict caused problems?
| Disallow: / | ||
| ``` | ||
|
|
||
| Hide certain directories (this is not recommended): |
There was a problem hiding this comment.
Can we add details as to why it's bad to hide certain directories from a crawler but not the entire site? I don't know the "why" behind this.
There was a problem hiding this comment.
I've looked into this a bit more, and improved the content of the "Solution" section to make this clearer:
Using
robots.txtis optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent pages from appearing in search engine results, it does not secure websites against attackers. In fact, it can help them:robots.txtis publicly accessible, and by adding your sensitive page paths to it, you are showing attackers exactly where they are.Also be aware that some robots will ignore your
robots.txtfile, for example, malware robots and email address harvesters.
|
|
||
| ## Problem | ||
|
|
||
| Attackers can modify the contents of JavaScript libraries hosted on content delivery networks (CDNs), creating vulnerabilities in all websites that use these libraries. |
There was a problem hiding this comment.
Suggested change
| Attackers can modify the contents of JavaScript libraries hosted on content delivery networks (CDNs), creating vulnerabilities in all websites that use these libraries. | |
| If an attacker exploited a content delivery network (CDN) and modified the contents of JavaScript libraries hosted on that CDN, it would create vulnerabilities in all websites that use those libraries. |
|
|
||
| ### Solution | ||
|
|
||
| HTTP [`Strict-Transport-Security`](/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) is an HTTP header that notifies browsers to connect to a given site only over HTTPS, even if the originally specified scheme was HTTP. Browsers with HSTS set for a given site will automatically upgrade all requests to HTTPS. HSTS also tells browsers to treat TLS and certificate-related errors more strictly by disabling the ability to bypass the error page. |
There was a problem hiding this comment.
Suggested change
| HTTP [`Strict-Transport-Security`](/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) is an HTTP header that notifies browsers to connect to a given site only over HTTPS, even if the originally specified scheme was HTTP. Browsers with HSTS set for a given site will automatically upgrade all requests to HTTPS. HSTS also tells browsers to treat TLS and certificate-related errors more strictly by disabling the ability to bypass the error page. | |
| HTTP [`Strict-Transport-Security`](/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security) (HSTS) is an HTTP header that notifies browsers to connect to a given site only over HTTPS, even if the originally specified scheme was HTTP. Browsers with HSTS set for a given site will automatically upgrade all requests to HTTPS for that site. HSTS also tells browsers to treat TLS and certificate-related errors more strictly by disabling the ability to bypass the certificate error page. |
| - `max-age` | ||
| - : Sets the duration, in seconds, for which browsers will redirect to HTTPS. | ||
| - `includeSubDomains` {{optional_inline}} | ||
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are upgraded. |
There was a problem hiding this comment.
Suggested change
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are upgraded. | |
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are also upgraded in addition to `domain.example.com`. |
| - `includeSubDomains` {{optional_inline}} | ||
| - : Specifies whether browsers should upgrade requests on all subdomains to HTTPS. For example, setting `includeSubDomains` on `domain.example.com` will ensure that requests to `host1.domain.example.com` and `host2.domain.example.com` are upgraded. | ||
| - `preload` {{optional_inline}} | ||
| - : Specifies whether the site should be preloaded. Including this directive means your site will be included in the [HSTS preload list](https://hstspreload.org/). |
There was a problem hiding this comment.
Suggested change
| - : Specifies whether the site should be preloaded. Including this directive means your site will be included in the [HSTS preload list](https://hstspreload.org/). | |
| - : Specifies whether the site should be preloaded. Including this directive means your site can be included in the [HSTS preload list](https://hstspreload.org/). |
|
|
||
| 1. Set a `max-age` value of at least six months (`15768000`). Longer periods, such as two years (`63072000`), are recommended. Once this value is set, the site must continue to support HTTPS until the expiry time is reached. | ||
| 2. If possible, set `includeSubDomains` to improve security on all subdomains. Careful testing is needed when setting this directive because it could disable sites on subdomains that don't yet have HTTPS enabled. | ||
| 3. If possible, set `preload` to include your website in the [HSTS preload list](https://hstspreload.org/). Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initial `Strict-Transport-Security` header. This prevents [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requires `includeSubDomains` to be set and `max-age` to be set to a minimum of 1 year (`31536000`). |
There was a problem hiding this comment.
Suggested change
| 3. If possible, set `preload` to include your website in the [HSTS preload list](https://hstspreload.org/). Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initial `Strict-Transport-Security` header. This prevents [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requires `includeSubDomains` to be set and `max-age` to be set to a minimum of 1 year (`31536000`). | |
| 3. If possible, set `preload` to make it possible to include your website in the [HSTS preload list](https://hstspreload.org/). Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initial `Strict-Transport-Security` header. This prevents [downgrade attacks](https://en.wikipedia.org/wiki/Downgrade_attack) upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requires `includeSubDomains` to be set and `max-age` to be set to a minimum of 1 year (`31536000`). |
Just adding preload to your HSTS header doesn't add you to the preload list, you still have to submit your site to the form.
There was a problem hiding this comment.
Thanks for clarifying that; I wanted to make that clear, but the site wasn't exactly clear about what was required. I have implemented your change and updated the bullet further, to:
- If possible, set
preloadto make it possible to include your website in the HSTS preload list. To add it to the list, visit https://hstspreload.org/ and enter your site URL into the form at the top of the page, fixing any issues that it mentions. Web browsers will perform HTTPS upgrades to preloaded sites before receiving the initialStrict-Transport-Securityheader. This prevents downgrade attacks upon first use and is recommended for all high-risk websites. Note that being included in the HSTS preload list also requiresincludeSubDomainsto be set andmax-ageto be set to a minimum of 1 year (31536000).
Does this sound OK?
|
|
||
| {{QuickLinksWithSubpages("/en-US/docs/Web/Security")}} | ||
|
|
||
| Users frequently input sensitive data on websites, such as names, addresses, and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of [web security](/en-US/docs/Web/Security) is to help you protect your website against these exploits and secure your users' sensitive data. |
There was a problem hiding this comment.
Suggested change
| Users frequently input sensitive data on websites, such as names, addresses, and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of [web security](/en-US/docs/Web/Security) is to help you protect your website against these exploits and secure your users' sensitive data. | |
| Users frequently input sensitive data on websites, such as names, addresses, passwords and banking details. As a web developer, it's crucial to protect this information from bad actors who use a wide range of exploits to steal such information and use it for personal gain. The focus of [web security](/en-US/docs/Web/Security) is to help you protect your website against these exploits and secure your users' sensitive data. |
|
@gene1wood thanks for the review! I've fixed most things, but just had a few comments asking for clarification on a few points. |
dipikabh
requested changes
Jun 19, 2024
| | [TLS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#tls_configuration) | Medium | Medium | Yes | Use the most secure [Transport Layer Security](/en-US/docs/Glossary/TLS) (TLS) configuration available for your user base. | | ||
| | TLS: [Resource loading](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#resource_loading) | Maximum | Low | Yes | Load both passive and active resources via HTTPS. | | ||
| | TLS: [HTTP redirection](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_redirection) | Maximum | Low | Yes | Websites must redirect to HTTPS; API endpoints should disable HTTP entirely. | | ||
| | TLS: [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, using HTTP Strict transport security (HSTS). | |
There was a problem hiding this comment.
Suggested change
| | TLS: [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, using HTTP Strict transport security (HSTS). | | |
| | TLS: [HSTS implementation](/en-US/docs/Web/Security/Practical_implementation_guides/TLS#http_strict_transport_security_implementation) | High | Low | Yes | Notify user agents to connect to sites only over HTTPS, even if the original scheme chosen was HTTP, by using HTTP Strict transport security (HSTS). | |
| | [Clickjacking prevention](/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking) | High | Low | Yes | Control how your site may be framed within an {{htmlelement("iframe")}} to prevent [clickjacking](/en-US/docs/Glossary/Clickjacking). | | ||
| | [CSRF prevention](/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention) | High | Unknown | Varies | Protect against [Cross-site request forgery](/en-US/docs/Glossary/CSRF) (CSRF) using `SameSite` cookies and anti-CSRF tokens. | | ||
| | [Secure cookie configuration](/en-US/docs/Web/Security/Practical_implementation_guides/Cookies) | High | Medium | Yes | Set all cookies as restrictively as possible. | | ||
| | [CORP implementation](/en-US/docs/Web/Security/Practical_implementation_guides/CORP) | High | Medium | Yes | Protect against speculative side-channel attacks using Cross-Origin Resource Policy (CORP). | |
There was a problem hiding this comment.
Suggested change
| | [CORP implementation](/en-US/docs/Web/Security/Practical_implementation_guides/CORP) | High | Medium | Yes | Protect against speculative side-channel attacks using Cross-Origin Resource Policy (CORP). | | |
| | [CORP implementation](/en-US/docs/Web/Security/Practical_implementation_guides/CORP) | High | Medium | Yes | Protect against speculative side-channel attacks by using Cross-Origin Resource Policy (CORP). | |
| | [CORP implementation](/en-US/docs/Web/Security/Practical_implementation_guides/CORP) | High | Medium | Yes | Protect against speculative side-channel attacks using Cross-Origin Resource Policy (CORP). | | ||
| | [MIME type verification](/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types) | Low | Low | No | Verify that all your websites are setting the proper [MIME types](/en-US/docs/Glossary/MIME_type) for all resources. | | ||
| | [CSP implementation](/en-US/docs/Web/Security/Practical_implementation_guides/CSP) | High | High | Yes | Provide fine-grained control over where site resources can be loaded from with [Content Security Policy](/en-US/docs/Glossary/CSP) (CSP). | | ||
| | [CORS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/CORS) | High | Low | Yes | Define which non-same origins are allowed to access the content of pages and have resources loaded from them with [Cross-Origin Resource Sharing](/en-US/docs/Glossary/CORS) (CORS). | |
There was a problem hiding this comment.
Suggested change
| | [CORS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/CORS) | High | Low | Yes | Define which non-same origins are allowed to access the content of pages and have resources loaded from them with [Cross-Origin Resource Sharing](/en-US/docs/Glossary/CORS) (CORS). | | |
| | [CORS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/CORS) | High | Low | Yes | Define the non-same origins that are allowed to access the content of pages and have resources loaded from them by using [Cross-Origin Resource Sharing](/en-US/docs/Glossary/CORS) (CORS). | |
| | [CORS configuration](/en-US/docs/Web/Security/Practical_implementation_guides/CORS) | High | Low | Yes | Define which non-same origins are allowed to access the content of pages and have resources loaded from them with [Cross-Origin Resource Sharing](/en-US/docs/Glossary/CORS) (CORS). | | ||
| | [Referrer policy configuration](/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy) | Low | Low | Yes | Improve privacy for users and prevent leaking of internal URLs via the {{httpheader("Referer")}} header. | | ||
| | [robots.txt configuration](/en-US/docs/Web/Security/Practical_implementation_guides/Robots_txt) | Low | Low | No | Tell robots (such as search engine indexers) how to behave by instructing them not to crawl certain paths on the website. | | ||
| | [SRI implementation](/en-US/docs/Web/Security/Practical_implementation_guides/SRI) | Low | Low | No | Verify that fetched resources (for example, from a CDN) are delivered without unexpected manipulation using [Subresource Integrity](/en-US/docs/Glossary/SRI) (SRI). | |
There was a problem hiding this comment.
Suggested change
| | [SRI implementation](/en-US/docs/Web/Security/Practical_implementation_guides/SRI) | Low | Low | No | Verify that fetched resources (for example, from a CDN) are delivered without unexpected manipulation using [Subresource Integrity](/en-US/docs/Glossary/SRI) (SRI). | | |
| | [SRI implementation](/en-US/docs/Web/Security/Practical_implementation_guides/SRI) | Low | Low | No | Verify that fetched resources (for example, from a CDN) are delivered without unexpected manipulation by using [Subresource Integrity](/en-US/docs/Glossary/SRI) (SRI). | |
|
|
||
| This page lists guides that detail the best practices for implementing security features on websites. While these guides do not cover all possible security scenarios and cannot guarantee complete security of your website, following the information and best practices in these guides will make your sites significantly more secure. | ||
|
|
||
| ## Content security fundamentals |
There was a problem hiding this comment.
Sorry, coming back to these headings. Currently, the H2s seem a bit non-parallel:
# Practical security implementation guides
## Content security fundamentals
## User information security
WDYT about these H2s:
# Practical security implementation guides
## Fundamentals of securing website content
## Securing user information
or
# Practical security implementation guides
## Securing website content
## Securing user information
|
|
||
| ## Solution | ||
|
|
||
| Use `Cross-Origin-Resource-Policy` to block [`no-cors`](/en-US/docs/Web/API/fetch#mode) cross-origin and/or cross-site requests to the given resource. Use the most restrictive value possible for your site: `same-site` or `same-origin` are recommended. |
There was a problem hiding this comment.
Suggested change
| Use `Cross-Origin-Resource-Policy` to block [`no-cors`](/en-US/docs/Web/API/fetch#mode) cross-origin and/or cross-site requests to the given resource. Use the most restrictive value possible for your site: `same-site` or `same-origin` are recommended. | |
| Use `Cross-Origin-Resource-Policy` to block [`no-cors`](/en-US/docs/Web/API/fetch#mode) cross-origin and/or cross-site requests to the given resource. Use the most restrictive value possible for your site; `same-origin` or `same-site` is recommended. |
|
|
||
| Use `Cross-Origin-Resource-Policy` to block [`no-cors`](/en-US/docs/Web/API/fetch#mode) cross-origin and/or cross-site requests to the given resource. Use the most restrictive value possible for your site: `same-site` or `same-origin` are recommended. | ||
|
|
||
| As this policy is expressed via a response header, the actual request is not prevented — rather, the browser prevents the result from being leaked by stripping the response body. |
There was a problem hiding this comment.
Suggested change
| As this policy is expressed via a response header, the actual request is not prevented — rather, the browser prevents the result from being leaked by stripping the response body. | |
| As this policy is expressed via a response header, the actual request is not prevented. Instead, the browser prevents the result from being leaked by stripping the response body. |
|
|
||
| ## Examples | ||
|
|
||
| Instruct browsers to disallow cross-origin no-cors requests: |
There was a problem hiding this comment.
or this?
Suggested change
| Instruct browsers to disallow cross-origin no-cors requests: | |
| Instruct browsers to disallow cross-origin requests with `no-cors` mode: |
| ## See also | ||
|
|
||
| - [`Access-Control-Allow-Origin`](/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) | ||
| - [Cross-Origin Resource Sharing (CORS)](/en-US/docs/Web/HTTP/CORS) |
There was a problem hiding this comment.
CORS can be moved to the end of the list
|
|
||
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent pages from appearing in search engine results, it does not secure websites against attackers. In fact, it can help them: `robots.txt` is publicly accessible, and by adding your sensitive page paths to it, you are showing attackers exactly where they are. | ||
|
|
||
| Also be aware that some robots will ignore your `robots.txt` file, for example, malware robots and email address harvesters. |
There was a problem hiding this comment.
Suggested change
| Also be aware that some robots will ignore your `robots.txt` file, for example, malware robots and email address harvesters. | |
| Also be aware that some robots, such as malware robots and email address harvesters, will ignore your `robots.txt` file. |
dipikabh
reviewed
Jun 19, 2024
|
|
||
| Use `robots.txt` to reduce website load and stop unsuitable content appearing in search results. | ||
|
|
||
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent pages from appearing in search engine results, it does not secure websites against attackers. In fact, it can help them: `robots.txt` is publicly accessible, and by adding your sensitive page paths to it, you are showing attackers exactly where they are. |
There was a problem hiding this comment.
Suggested change
| Using `robots.txt` is optional and sites should use it only for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent pages from appearing in search engine results, it does not secure websites against attackers. In fact, it can help them: `robots.txt` is publicly accessible, and by adding your sensitive page paths to it, you are showing attackers exactly where they are. | |
| Using `robots.txt` is optional and should only be used for these purposes. It should not be used as a way to prevent the disclosure of private information or to hide portions of a website. While using this file can prevent pages from appearing in search engine results, it does not secure websites against attackers. On the contrary, it can unintentionally help them: `robots.txt` is publicly accessible, and by adding your sensitive page paths to it, you are showing their locations to potential attackers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Mozilla Observatory is being moved to MDN. This PR adds the accompanying cheat sheet docs to MDN, and restructures the existing security docs to make space for them.
Motivation
Additional details
See mdn/mdn#548 for the MDN project tracking item.
Related issues and pull requests