You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 15, 2023. It is now read-only.
I think the weight of your security checks should not be the same across them all. I understand it's hard to generalise because the nature of the web app may depend more one or another but the general distribution for importance is still far from 1:1. Some suggestions:
X-XSS-Protection - is already the default and it's not used by Mozilla. I would downplay the importance of this one;
Strict-Transport-Security - in the absence of having the domain on the HSTS preloaded list, this is really important, it's supported by all major browsers and it's a W3C standard. I think it's at least 2 times more important than several other things like secure cookies (much smaller coverage and redundant with HSTS), X-XSS-Protection (reasons explained above), Referrer policy (the presence of a referrer policy may be good or bad - unsafe-url vs same-origin)
On SSL - i think a self-signed cert for a public website is a lot worse than all the theoretical attacks combined. If you can throw any certificate and get away with it for MitM, you don't even need to contemplate how to pull a Poodle or CRIME attacks which are likely to be impossible depending on the browser, Logjam and network conditions. The only exception I see, is heartbleed high is also very high risk (although is not really an attack on SSL) and it's a very practical attack.
I think the weight of your security checks should not be the same across them all. I understand it's hard to generalise because the nature of the web app may depend more one or another but the general distribution for importance is still far from 1:1. Some suggestions: