This talk from Mike West shows that Google has the taken the power over the web. Google guys talks as if the web were a Google product. About new HTTP headers or ES6 features, they say "we do this, we add that". I am impressed by this self-confident attitude. No other player can talk like this nowadays.
Among interesting headers understood by Chrome, Mozilla and Safari in their most recent versions are:
- Public-Key-Pins, a header to specify the SSL certificate signature. This prevents https man-in-the-middle attacks.
- Clickjacking. Use X-Frame-Options to prevent the site to being framed. Without them, any page can embedd your webapp in a transparent frame and forces you to click somewhere without you knowing.
- Beware of commented out placeholders. Attackers can often easily inject code by closing the comment.
- Use X-XSS-Protection with mode=block. You can even specify a url to POST a report in case of attack.
- Content-Security-Policy to choose where specific resource types can be downloaded from.
No comments:
Post a Comment