Proper web security configuration helps secure websites by mitigating risks such as personal information exposure, session hijacking, man in the middle etc.
HTTP header and cookie security configuration information.
Cross-origin resource sharing
Website must implement a strict CORS policy. If content is intended to be shared by other websites then those websites must be explicitly defined and access allowed only to those websites. Do not allow arbitrary origins access as it invalidates the same-origin security policy.
HTTP Strict Transport Security
Use the HTTP Strict Transport Security header to ensure browser doesn't downgrade to HTTP protocol in subsequent requests. This helps to defend against Man-in-the-middle attacks.
Ensure that cookies containing sensitive information are properly secured:
- add the Secure tag on cookies that may only be transmitted via HTTPS
- add the HttpOnly tag on cookies to prevent script access as a defense against cross-site scripting
- restrict cookie scope (domain and path tags) for cookies containing sensitive information
- Ensure that sensitive content is not cached by the browser (or proxies) by utilizing the appropriate caching directives. To ensure that content is not cached use the following:
Cache-Control: no-store, no-cache
A Content Security Policy (CSP) is recommended for all TELUS websites. A Content Security Policy is a candidate W3C standard used to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context. While this standard is still in W3C candidate status, support from modern browsers is present and needs to be leveraged, whether natively or in framework security modules.
The OWASP project also defines a collection of additional Secure Headers: