Permalink
Fetching contributors…
Cannot retrieve contributors at this time
43 lines (25 sloc) 2.87 KB

Web Configuration

Why

Proper web security configuration helps secure websites by mitigating risks such as personal information exposure, session hijacking, man in the middle etc.

What

HTTP header and cookie security configuration information.

How

Cross-origin resource sharing

Website must implement a strict CORS policy. If content is intended to be shared by other websites then those websites must be explicitly defined and access allowed only to those websites. Do not allow arbitrary origins access as it invalidates the same-origin security policy.

HTTP Strict Transport Security

Use the HTTP Strict Transport Security header to ensure browser doesn't downgrade to HTTP protocol in subsequent requests. This helps to defend against Man-in-the-middle attacks.

Cookies

Ensure that cookies containing sensitive information are properly secured:

  • add the Secure tag on cookies that may only be transmitted via HTTPS
  • add the HttpOnly tag on cookies to prevent script access as a defense against cross-site scripting
  • restrict cookie scope (domain and path tags) for cookies containing sensitive information

Caching

  • Ensure that sensitive content is not cached by the browser (or proxies) by utilizing the appropriate caching directives. To ensure that content is not cached use the following:
    • Cache-Control: no-store, no-cache
    • Pragma: no-cache

Clickjacking

A Content Security Policy (CSP) is recommended for all TELUS websites. A Content Security Policy is a candidate W3C standard used to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. While this standard is still in W3C candidate status, support from modern browsers is present and needs to be leveraged, whether natively or in framework security modules.

The OWASP project also defines a collection of additional Secure Headers: