DEV Community

Cover image for A Web Security Checklist For Creating Secure Websites
Aritra Mukherjee
Aritra Mukherjee

Posted on • Originally published at on

A Web Security Checklist For Creating Secure Websites

Hello there! As a web developer, I always strive to ensure that the websites I build are as secure as possible.

Therefore, I put together a checklist 📋 of 9 crucial measures that have been mandated by Mozilla in their Web Security guidelines for all websites and/or web applications.

Web developers should implement all the items in this checklist to ensure their websites are optimally secured. 🛡️

Please refer to my blog post linked below for the description, implementation details and examples of each. 📚

BTW, I'd love suggestions from the community! If you have more items that should be added to this list or would like to suggest changes for the existing ones, please mention them in the comments below and I will update the article with due credits (Twitter/Dev). 😃

1️⃣ Use HTTPS over HTTP 🔒

Hypertext Transfer Protocol Secure (HTTPS) encrypts data exchanged between the server and the client. It prevents man-in-the-middle attacks. In order to use HTTPS, you will need to get an SSL certificate for your domain. Read More

2️⃣ Redirect From HTTP to HTTPS ↪️

Installing an SSL certificate for your website is the first step, but not the last. In order to complete the procedure, we have one more step - set up a redirection from HTTP to HTTPS. Read More

3️⃣ Load Resources Over HTTPS 📦

Resources are the various kinds of media (images/videos), scripts, and style sheets that a website requires for its functioning. Loading your website’s resources over HTTP leaves it vulnerable to cyber attacks like Phishing. Apart from that, browsers like Chrome and Firefox will show Mixed Content warnings to your site’s visitors. Read More

4️⃣ Enforce HTTP Strict Transport Security (HSTS) 🚌

HTTP Strict Transport Security (HSTS) is an HTTP header that allows user agents like browsers to only connect to a website over HTTPS. Read More

5️⃣ Use Content Security Policy (CSP) 📜

Content Security Policy (CSP) is used to specify the sources from where your website will fetch its resources. This information is used by web browsers to block requests for resources from sources, other than the ones specified by you. Read More

6️⃣ Secure Your Cookies 🍪

A cookie is a small file that stores information on the client’s machine. Other than tracking visitors’ web activity, cookies are used for session management. This is why securing your cookies is important for optimal web security. Mozilla has mandated the creation of HTTP cookies with the Secure flag. Read More

7️⃣ Prevent Clickjacking 🖱️

Clickjacking is a type of attack performed on a victim website using iframes. Websites can protect themselves from getting framed (literally) by using either CSP frame-ancestors directive or X-Frame-Options header. Read More

8️⃣ Cross-origin Resource Sharing (CORS) 📡

This is exclusively for APIs. The Access-Control-Allow-Origin header can be used to block unauthorized foreign access to resources on your origin/server. By using this header, you can state which origins you want to allow access to a particular resource, which is being requested. Read More

9️⃣ Prevent Cross-site Request Forgery (CSRF)

Cross-site request forgery (CSRF) attacks are quite simple. Websites often use cookies to store session information of a logged-in user. Such cookies can be used to perform unauthorized destructive changes on the victim server. Read More

Continue reading "A Web Security Checklist For Creating Secure Websites"

The post A Web Security Checklist For Creating Secure Websites appeared first on GeekyMinds.

Top comments (1)

strongunsullied profile image
Kasope Johnson

Nice tips