Web Security

Collections

• How to reduce your risk of cross-site scripting attacks with vanilla JavaScript
• Injecting text instead of HTML with vanilla JS to reduce your risk of XSS attacks
• Trusted Types API for JavaScript DOM Security
• Protecting against DOM XSS security vulnerabilities in JavaScript
• Refused to frame 'https://xxx.myshopify.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".
• How to win at CORS
• Trusted Types API for JavaScript DOM Security
• Don’t try to sanitize input. Escape output.
  • https://news.ycombinator.com/item?id=29921276
• Retrieving your browsing history through a CAPTCHA - The :visited pseudo-class poses privacy risks for people who surf the web. As a user, you can stop web pages from tracking your history by disabling visited link highlighting in your web browser.
• Securing Express Web Applications With Helmet - Learn how to use Helmet to set Content-Security-Policy, X-DNS-Prefetch-Control, X-Frame-Options, X-Powered-By, plus much more.
  • Using Helmet to set the Content-Security-Policy header
  • Using Helmet to set the X-DNS-Prefetch-Control header
  • Controlling enabled browser features using the Feature-Policy header
  • Using Helmet to set the X-Frame-Options header
  • Using Helmet to remove the X-Powered-By header
  • Improving HTTPS with Strict Transport Security
  • Mitigating XSS attacks with Helmet
• What is a realm in JavaScript?
  • Introducing Snow
• Web fingerprinting is worse than I thought
• Edge sends images you view online to Microsoft, here is how to disable that
• CSP Testing Using Cypress
• Google AMP – The Newest of Evasive Phishing Tactic

  https://www.google.com/amp/s/${phishing URL}

• Preventing HTTPS Downgrade Attacks

  • configuring servers to redirect all HTTP traffic to HTTPS and setting the HTTP Content-Security-Policy and Strict-Transport-Security headers to enforce HTTPS-only browsing
  • The HSTS preload directive further strengthens security by ensuring browsers always use HTTPS for a domain

• Polyfill.io, 중국 CDN 기업에 인수된 후 보안 및 안정성 문제 발생
  • polyfill.io now available on cdnjs: reduce your supply chain risk
• DoubleClickjacking: A New Era of UI Redressing - get users to commit to clicking twice, but the pop up page only accepts a single click before closing. Their second click goes to the page underneath the pop up, which is e.g. an authentication button. — nneonneo
• Cross-Site Request Forgery is dead! - Same-Site Cookies. SameSite=Strict, SameSite=Lax
• CSRF Protection without Tokens or Hidden Form Fields - The so called "modern" method to protect against CSRF attacks is based on the Sec-Fetch-Site header, which all modern desktop and mobile browsers include in the requests they send to servers.

---

Children

1. 5 Mistakes to Avoid When Self Hosting a Website from Home
2. CORS is Stupid - Kevin Cox
3. CSP와 inline으로 삽입된 XSS 스크립트의 관계
4. Kobold Letters
5. Local Server Security Best Practices
6. New alternatives to innerHTML
7. Target=_blank implies rel=noopener
8. Tools
9. “Invalid Username or Password”: a useless security measure
10. 🔒Securing Web: A Deep Dive into Content Security Policy (CSP)