Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Observatory docs to MDN #33793

Open
wants to merge 66 commits into
base: main
Choose a base branch
from
+1,069 −235
Open

Add Observatory docs to MDN #33793

Changes from 1 commit
Commits
Show all changes
66 commits
Select commit Hold shift + click to select a range
4703db1
Restructure security landing page
chrisdavidmills May 28, 2024
c04092c
Retitle and redirect Security your site page to Practical implementat…
chrisdavidmills May 28, 2024
5254100
Update files/en-us/web/security/index.md
chrisdavidmills May 28, 2024
c39da2b
Update files/en-us/web/security/index.md
chrisdavidmills May 28, 2024
c7a383a
initial draft of all Observatory pages
chrisdavidmills May 30, 2024
3164d32
Merge branch 'add-observatory-docs-to-mdn' of github.com:chrisdavidmi…
chrisdavidmills May 30, 2024
06d0b98
Update files/en-us/web/security/practical_implementation/clickjacking…
chrisdavidmills May 30, 2024
cc8a1bb
Update files/en-us/web/security/practical_implementation/clickjacking…
chrisdavidmills May 30, 2024
d7d47c7
Update files/en-us/web/security/practical_implementation/cookies/inde…
chrisdavidmills May 30, 2024
64dd386
Update files/en-us/web/security/practical_implementation/clickjacking…
chrisdavidmills May 30, 2024
0dc7334
Update files/en-us/web/security/practical_implementation/cookies/inde…
chrisdavidmills May 30, 2024
883d4a5
Update files/en-us/web/security/practical_implementation/referrer_pol…
chrisdavidmills May 30, 2024
68659ec
Update files/en-us/web/security/practical_implementation/referrer_pol…
chrisdavidmills May 30, 2024
8c03637
Update files/en-us/web/security/practical_implementation/sri/index.md
chrisdavidmills May 30, 2024
189313e
Update files/en-us/web/security/practical_implementation/sri/index.md
chrisdavidmills May 30, 2024
460025c
Update files/en-us/web/security/practical_implementation/tls/index.md
chrisdavidmills May 30, 2024
ec81406
Update files/en-us/web/security/practical_implementation/cookies/inde…
chrisdavidmills May 30, 2024
74ab66d
Update files/en-us/web/security/practical_implementation/cookies/inde…
chrisdavidmills May 30, 2024
dbeb415
Update files/en-us/web/security/practical_implementation/cors/index.md
chrisdavidmills May 30, 2024
0d277b9
Update files/en-us/web/security/practical_implementation/cors/index.md
chrisdavidmills May 30, 2024
d01abc7
Update files/en-us/web/security/practical_implementation/csp/index.md
chrisdavidmills May 30, 2024
63410ca
Update files/en-us/web/security/practical_implementation/csp/index.md
chrisdavidmills May 30, 2024
612279a
Update files/en-us/web/security/practical_implementation/csp/index.md
chrisdavidmills May 30, 2024
1d6810d
Update files/en-us/web/security/practical_implementation/csp/index.md
chrisdavidmills May 30, 2024
e24c1a2
Update files/en-us/web/security/practical_implementation/csp/index.md
chrisdavidmills May 30, 2024
65a6c43
Update files/en-us/web/security/practical_implementation/csrf_prevent…
chrisdavidmills May 30, 2024
a307fc4
Update files/en-us/web/security/practical_implementation/csrf_prevent…
chrisdavidmills May 30, 2024
309e549
Update files/en-us/web/security/practical_implementation/csrf_prevent…
chrisdavidmills May 30, 2024
7755192
Update files/en-us/web/security/practical_implementation/csrf_prevent…
chrisdavidmills May 30, 2024
a9d6f30
Update files/en-us/web/security/practical_implementation/index.md
chrisdavidmills May 30, 2024
7b437a9
Update files/en-us/web/security/practical_implementation/referrer_pol…
chrisdavidmills May 30, 2024
d7a2d24
Merge branch 'main' into add-observatory-docs-to-mdn
chrisdavidmills May 30, 2024
5b4e224
Fix broken links
chrisdavidmills May 30, 2024
69de9a9
tidy up links on the main practical page
chrisdavidmills May 31, 2024
85916b3
Make sure desired documents are linked to
chrisdavidmills Jun 2, 2024
536fc91
Merge branch 'main' into add-observatory-docs-to-mdn
chrisdavidmills Jun 2, 2024
46e7951
Add a few details to make sure the page align with the test results
chrisdavidmills Jun 3, 2024
c43f8ea
Merge branch 'main' into add-observatory-docs-to-mdn
chrisdavidmills Jun 3, 2024
8d68d09
fixes for dipikabh review comments
chrisdavidmills Jun 7, 2024
cfa0529
Update files/en-us/web/security/practical_implementation/index.md
chrisdavidmills Jun 7, 2024
b19f5e2
Update files/en-us/web/security/practical_implementation_guides/index.md
chrisdavidmills Jun 7, 2024
8ded9c2
Update files/en-us/web/security/practical_implementation_guides/index.md
chrisdavidmills Jun 7, 2024
d828218
remove old version of guide landing page
chrisdavidmills Jun 10, 2024
93eca1a
tweak redirects
chrisdavidmills Jun 10, 2024
35c1c3b
More fixes for dipikabh review comments
chrisdavidmills Jun 10, 2024
6da1616
Update files/en-us/web/security/practical_implementation_guides/index.md
chrisdavidmills Jun 10, 2024
66f47fe
Fix latest round of dipika review comments, and fix some links
chrisdavidmills Jun 12, 2024
74eae48
Making fixes for review comments from dipika and tibap
chrisdavidmills Jun 14, 2024
d7375f5
Update files/en-us/web/security/practical_implementation_guides/csrf_…
chrisdavidmills Jun 14, 2024
006f2f7
Update files/en-us/web/security/practical_implementation_guides/index.md
chrisdavidmills Jun 14, 2024
e18b08f
Update files/en-us/web/security/practical_implementation_guides/index.md
chrisdavidmills Jun 14, 2024
26e178a
Update files/en-us/web/security/practical_implementation_guides/tls/i…
chrisdavidmills Jun 14, 2024
796d616
last few tweaks
chrisdavidmills Jun 18, 2024
75dd4d9
Merge branch 'main' into add-observatory-docs-to-mdn
caugner Jun 18, 2024
72d7c97
fix broken links
chrisdavidmills Jun 19, 2024
0529929
Fixes for gene1wood review comments
chrisdavidmills Jun 19, 2024
2875f75
Fixes for review comments from freddyb
chrisdavidmills Jun 19, 2024
02051b8
add corp page
chrisdavidmills Jun 19, 2024
2e5a8ee
Merge branch 'main' into add-observatory-docs-to-mdn
chrisdavidmills Jun 19, 2024
bfda732
Update CSRF XSS link
chrisdavidmills Jun 20, 2024
f7c14a7
few more fixes for freddy and dipika comments
chrisdavidmills Jun 20, 2024
a692710
Correct HTTP observatory naming issues
chrisdavidmills Jun 20, 2024
0a76c93
Improve CORP page
chrisdavidmills Jun 20, 2024
762d53f
Add xs-leaks info and link
chrisdavidmills Jun 20, 2024
3aa78fd
Couple more fixes for gene wood comments
chrisdavidmills Jun 20, 2024
abc565f
fixes for freddyb comments
chrisdavidmills Jun 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
Update files/en-us/web/security/practical_implementation/index.md 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
@chrisdavidmills @github-actions
chrisdavidmills and github-actions[bot] committed May 30, 2024
commit a9d6f30c16e5e1dfbcb4439d26dc78ddbdcc59da
43 changes: 19 additions & 24 deletions files/en-us/web/security/practical_implementation/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,30 +10,25 @@ This section provides opinionated guides detailing best practices for implementi

## Content security fundamentals

Most of the content in this section has direct links to the [Mozilla Observatory](/en-US/observatory/) tool. The pages detail how to fix the issues highlighted by the Observatory tests, and as such, Observatory will link to appropriate sections in the test results to provide guidance. Mozilla's internal developer teams use this guidance when implementing websites.

The guides are listed in the order that we recommend they are implemented. This order is based on a combination of security impact and ease of implementation from an operational and developmental perspective.

| Guide | Impact | Difficulty | Required | Summary |
| ----------- | ----------- | ---------- | --------- | -------------------------------------------------------------------------- |
| [TLS configuration](/en-US/docs/Web/Security/Practical_implementation/TLS#tls_configuration) | Medium | Medium | Yes | Use the most secure TLS configuration available for your user base. |
| [Resource loading](/en-US/docs/Web/Security/Practical_implementation/TLS#resource_loading) | Maximum | Low | Yes | Both passive and active resources should be loaded via HTTPS. |
| [HTTP redirections](/en-US/docs/Web/Security/Practical_implementation/TLS#http_redirections) | Maximum | Low | Yes | Websites must redirect to HTTPS; API endpoints should disable HTTP entirely. |
| [HTTP Strict transport security](/en-US/docs/Web/Security/Practical_implementation/TLS#http_strict_transport_security) | High | Low | Yes | Notify user agents to only connect to sites over HTTPS, even if the scheme chosen was HTTP. |
| [Clickjacking prevention](/en-US/docs/Web/Security/Practical_implementation/Clickjacking) | High | Low | Yes | Control how your site may be framed within an {{htmlelement("iframe")}}, to prevent [clickjacking](/en-US/docs/Glossary/Clickjacking). |
| [Cross-site request forgery prevention](/en-US/docs/Web/Security/Practical_implementation/CSRF_prevention) | High | Unknown | Varies | CSRF can be protected against via `SameSite` cookies and anti-CSRF tokens. |
| [Secure cookies](/en-US/docs/Web/Security/Practical_implementation/Cookies) | High | Medium | Yes | All cookies should be set as restrictively as possible. |
| [Verifying MIME types](/en-US/docs/Web/Security/Practical_implementation/MIME_types) | Low | Low | No | Websites should verify that they are setting the proper MIME types for all resources. |
| [Content Security Policy (CSP)](/en-US/docs/Web/Security/Practical_implementation/CSP) | High | High | Yes | Provides fine-grained control over where site resources can be loaded from. |
| [Cross-origin Resource Sharing (CORS)](/en-US/docs/Web/Security/Practical_implementation/CORS) | High | Low | Yes | Define which non-same origins are allowed to access the content of pages and have resources loaded from them. |
| [Referrer policy](/en-US/docs/Web/Security/Practical_implementation/Referrer_policy) | Low | Low | Yes | Improves privacy for users, prevents the leaking of internal URLs via the {{httpheader("Referer")}} header. |
| [robots.txt](/en-US/docs/Web/Security/Practical_implementation/Robots_txt) | Low | Low | No | Tell robots (such as search engine indexers) how to behave, by instructing them not to crawl certain paths on the website. |
| [Subresource integrity](/en-US/docs/Web/Security/Practical_implementation/SRI) | Low | Low | No | Verify that fetched resources (for example, from a CDN) are delivered without unexpected manipulation. |





Most of the content in this section has direct links to the [Mozilla Observatory](/en-US/observatory/) tool. The pages detail how to fix the issues highlighted by the Observatory tests, and as such, Observatory will link to appropriate sections in the test results to provide guidance. Mozilla's internal developer teams use this guidance when implementing websites.
dipikabh marked this conversation as resolved.
Show resolved Hide resolved

The guides are listed in the order that we recommend they are implemented. This order is based on a combination of security impact and ease of implementation from an operational and developmental perspective.
dipikabh marked this conversation as resolved.
Show resolved Hide resolved

| Guide | Impact | Difficulty | Required | Summary |
dipikabh marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first "Guide" column also needs to be made consistent in verbiage because some entries are noun phrases ("TLS configuration") and some indicate activity ("Verifying"). WDYT about:

TLS configuration
Resource loading
HTTP redirection
HSTS implementation
Clickjacking prevention
CSRF prevention
Secure cookie configuration
MIME type verification
CSP implementation
CORS configuration
Referrer policy enforcement
robots.txt configuration
SRI implementation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable. I've mostly used these, with a couple of tweaks. I also tried updating them on the page titles too, for consistency.

This does mean that way more titles now break onto two lines in the sidebar and pages themselves.

Do you think that is a problem?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be checked later after updated preview links are available

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference is to use only the acronym in the sidebar (short-title) and the expanded title on the page, so:

title: Cross-Origin Resource Sharing (CORS) configuration
short-title: CORS configuration

One of the things this can help with is that when you're on the landing page, you can quickly match up the guides from the table's first column to those in the sidebar. At the moment, you need to parse the titles in the sidebar a bit.

With both the expanded form and acronym in the page title, the page will still be searchable in the "Quick Search" field using either the long form or acronym.

But I'll leave it to you to make the call. The glossary pages have acronyms in the sidebar - I don't know if we have a strict guideline or any guideline around this.

| ---------------------------------------------------------------------------------------------------------------------- | ------- | ---------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------- |
| [TLS configuration](/en-US/docs/Web/Security/Practical_implementation/TLS#tls_configuration) | Medium | Medium | Yes | Use the most secure TLS configuration available for your user base. |
dipikabh marked this conversation as resolved.
Show resolved Hide resolved
| [Resource loading](/en-US/docs/Web/Security/Practical_implementation/TLS#resource_loading) | Maximum | Low | Yes | Both passive and active resources should be loaded via HTTPS. |
| [HTTP redirections](/en-US/docs/Web/Security/Practical_implementation/TLS#http_redirections) | Maximum | Low | Yes | Websites must redirect to HTTPS; API endpoints should disable HTTP entirely. |
| [HTTP Strict transport security](/en-US/docs/Web/Security/Practical_implementation/TLS#http_strict_transport_security) | High | Low | Yes | Notify user agents to only connect to sites over HTTPS, even if the scheme chosen was HTTP. |
| [Clickjacking prevention](/en-US/docs/Web/Security/Practical_implementation/Clickjacking) | High | Low | Yes | Control how your site may be framed within an {{htmlelement("iframe")}}, to prevent [clickjacking](/en-US/docs/Glossary/Clickjacking). |
dipikabh marked this conversation as resolved.
Show resolved Hide resolved
| [Cross-site request forgery prevention](/en-US/docs/Web/Security/Practical_implementation/CSRF_prevention) | High | Unknown | Varies | CSRF can be protected against via `SameSite` cookies and anti-CSRF tokens. |
dipikabh marked this conversation as resolved.
Show resolved Hide resolved
| [Secure cookies](/en-US/docs/Web/Security/Practical_implementation/Cookies) | High | Medium | Yes | All cookies should be set as restrictively as possible. |
| [Verifying MIME types](/en-US/docs/Web/Security/Practical_implementation/MIME_types) | Low | Low | No | Websites should verify that they are setting the proper MIME types for all resources. |
| [Content Security Policy (CSP)](/en-US/docs/Web/Security/Practical_implementation/CSP) | High | High | Yes | Provides fine-grained control over where site resources can be loaded from. |
| [Cross-origin Resource Sharing (CORS)](/en-US/docs/Web/Security/Practical_implementation/CORS) | High | Low | Yes | Define which non-same origins are allowed to access the content of pages and have resources loaded from them. |
dipikabh marked this conversation as resolved.
Show resolved Hide resolved
| [Referrer policy](/en-US/docs/Web/Security/Practical_implementation/Referrer_policy) | Low | Low | Yes | Improves privacy for users, prevents the leaking of internal URLs via the {{httpheader("Referer")}} header. |
| [robots.txt](/en-US/docs/Web/Security/Practical_implementation/Robots_txt) | Low | Low | No | Tell robots (such as search engine indexers) how to behave, by instructing them not to crawl certain paths on the website. |
dipikabh marked this conversation as resolved.
Show resolved Hide resolved
| [Subresource integrity](/en-US/docs/Web/Security/Practical_implementation/SRI) | Low | Low | No | Verify that fetched resources (for example, from a CDN) are delivered without unexpected manipulation. |

- [Properly configuring server MIME types](/en-US/docs/Learn/Server-side/Configuring_server_MIME_types)
- : There are several ways incorrect MIME types can cause potential security problems with your site. This article explains some of those and shows how to configure your server to serve files with the correct MIME types.
Expand Down