Web security

Ensuring that your website or open web application is secure is critical. Even simple bugs in your code can result in private information being leaked, and bad people are out there trying to find ways to steal data. These articles provide information that may help you secure your code.

Information Security Basics
Understanding security basics helps you understand the role and importance of security throughout the web development lifecycle. This will help you avoid unnecessarily unsecured software, allowing attackers to exploit weaknesses for financial gain or other malicious purposes. The following articles provide some basic web security theory and definitions.
Insecure passwords
Serving login forms over HTTP is especially dangerous because of the wide variety of attacks that can be used against them to extract a user’s password. Network eavesdroppers could steal a user's password by sniffing the network, or by modifying the served page in transit. This page details the security mechanisms Firefox has put in place to warn users and developers of such risks.
Mixed content
When a user visits a page served over HTTPS, their connection with the web server is encrypted with TLS and is therefore safeguarded from most sniffers and man-in-the-middle attacks. If the HTTPS page includes content retrieved through regular, cleartext HTTP, then the connection is only partially encrypted; the unencrypted content is accessible to sniffers and can be modified by man-in-the-middle attackers, so the connection is not safeguarded. When a web page exhibits this behavior, it is called a mixed content page.
Same-origin policy
The same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.
Secure Contexts
A secure context is a Window or Worker for which there is reasonable confidence that the content has been delivered securely (via HTTPS/TLS), and for which the potential for communication with contexts that are not secure is limited. Many Web APIs and features are only accessible in a secure context. The primary goal of secure contexts is to prevent Man in the Middle attackers from accessing powerful APIs that could further compromise the victim of an attack.
Securing your site
There are a number of things you can do to help secure your site. This article offers an assortment of suggestions, as well as links to other articles providing more useful information.
Site Identity Button
The Site Identity Button is a feature in Firefox that gives users more information about the sites they visit.
Subresource Integrity
Subresource Integrity (SRI) is a security feature that enables browsers to verify that files they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.
Transport Layer Security
Choosing the proper cipher suites and parameters in transport layer security (TLS) is essential and critical. It is helpful in maintaining the confidentiality and integrity of communications between a client and server systems. The Mozilla Operations Security (OpSec) team maintains a wiki entry with reference transport layer security configurations.
Weak Signature Algorithm
The strength of the hash algorithm used in signing a digital certificate is a critical element of the security of the certificate. Weaknesses in hash algorithms can lead to situations in which attackers can create or obtain fraudulent certificates. As new attacks are found and improvements in available technology make attacks more feasible, the use of older algorithms is discouraged and support for them is eventually removed.

Join the Security community

Choose your preferred method for joining the discussion:

Document Tags and Contributors

Tags: 
 Contributors to this page: fscholz, jswisher, PPElite, marumari, ISOBEL, Sheppy
 Last updated by: fscholz,