DEV Community

Cover image for 5 HTML Tips for Building a Secure Website
Imoh Imohowo
Imoh Imohowo

Posted on

5 HTML Tips for Building a Secure Website

Security is a crucial aspect of web development, and while much of the focus is often on backend protections, HTML itself offers several ways to enhance security. Here are five HTML tips to help you build a more secure website.

1. Use `rel="noopener noreferrer" for External Links

When using target="_blank" on anchor (<a>) tags, always include rel="noopener noreferrer" to prevent security risks like reverse tabnapping.

html
<a href="https://example.com" target="_blank" rel="noopener noreferrer">Safe Link</a>


This prevents the new page from accessing the window.opener property of your site, reducing the risk of malicious attacks.

2. Sanitize User Input with sandbox in <iframe>

If your site embeds third-party content using <iframe>, always use the sandbox attribute to restrict what the embedded content can do.

`html

`

This prevents actions like form submissions, pop-ups, and script execution unless explicitly allowed.

3. Enable HTTPS with <meta http-equiv="Content-Security-Policy">

Use the Content-Security-Policy (CSP) meta tag to enforce secure connections and prevent mixed content issues.

html
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">


This automatically upgrades HTTP requests to HTTPS, reducing man-in-the-middle attack risks.

4. Prevent Form Hijacking with SameSite Cookies

While primarily a backend setting, you can help secure forms by ensuring cookies are marked as SameSite (handled via server headers). However, you can reinforce security by using:

`html

`

Avoid GET for sensitive data, as it exposes parameters in the URL.

5. Disable Autofill on Sensitive Fields

For fields that should not be stored in the browser (e.g., one-time passwords, security codes), disable autocomplete:

html
<input type="password" name="secure-code" autocomplete="off">


This prevents browsers from storing sensitive information that could be exploited.

Final Thoughts

While HTML alone wonโ€™t make your site completely secure, these practices add an extra layer of protection. Combine them with proper backend security (like input validation, CSRF tokens, and HTTPS) for a robust defense.

Top comments (1)

Some comments may only be visible to logged-in visitors. Sign in to view all comments.