Skip to content

Instantly share code, notes, and snippets.

@miguelmota
Last active January 30, 2021 01:05
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save miguelmota/e0a18ea1a507c72c2d1d6a158784f607 to your computer and use it in GitHub Desktop.
Save miguelmota/e0a18ea1a507c72c2d1d6a158784f607 to your computer and use it in GitHub Desktop.
Web security checklist

Web security checklist

Headers

  • Prevent site from being rendered in iframe
    • X-Frame-Options: DENY
  • Stop page from loading if XSS is detected
    • X-XSS-Protection: 1; mode=block
  • Don't set referrer header
    • Referrer-Policy: no-referrer
  • Prevent MIME type sniffing (ie don't execute JS code in a .png)
    • X-Content-Type-Options: nosniff
  • Force HTTPS
    • Strict-Transport-Security: max-age=15780000; includeSubDomains; preload
  • Disable browser features
    • Feature-Policy: geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'none'; payment 'none'
  • Disable external scripts
    • Content-Security-Policy: default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline'

Tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment