【外部リンク】
https://infosec.mozilla.org/guidelines/web_security#table-of-contents
Table of Contents
Cheat Sheet
Transport Layer Security (TLS/SSL)
HTTPS
HTTP Strict Transport Security
HTTP Redirections
HTTP Public Key Pinning
Resource Loading
Content Security Policy
contribute.json
Cookies
Cross-origin Resource Sharing
CSRF Prevention
Referrer Policy
robots.txt
Subresource Integrity
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
Version History
Web Security Cheat Sheet
HTTPS MAXIMUM MEDIUM Mandatory Sites should use HTTPS (or other secure protocols) for all communications
Public Key Pinning LOW MAXIMUM -- Mandatory for maximum risk sites only Not recommended for most sites
Redirections from HTTP MAXIMUM LOW 3 Mandatory Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
Resource Loading MAXIMUM LOW 2 Mandatory for all websites Both passive and active resources should be loaded through protocols using TLS, such as HTTPS
Strict Transport Security HIGH LOW 4 Mandatory for all websites Minimum allowed time period of six months
TLS Configuration MEDIUM MEDIUM 1 Mandatory Use the most secure Mozilla TLS configuration for your user base, typically Intermediate
Content Security Policy HIGH HIGH 10 Mandatory for new websites
Recommended for existing websites Disabling inline script is the greatest concern for CSP implementation
Cookies HIGH MEDIUM 7 Mandatory for all new websites
Recommended for existing websites All cookies must be set with the Secure flag, and set as restrictively as possible
contribute.json LOW LOW 9 Mandatory for all new Mozilla websites
Recommended for existing Mozilla sites Mozilla sites should serve contribute.json and keep contact information up-to-date
Cross-origin Resource Sharing HIGH LOW 11 Mandatory Origin sharing headers and files should not be present, except for specific use cases
Cross-site Request Forgery Tokenization HIGH UNKNOWN 6 Varies Mandatory for websites that allow destructive changes
Unnecessary for all other websites
Most application frameworks have built-in CSRF tokenization to ease implementation
Referrer Policy LOW LOW 12 Recommended for all websites Improves privacy for users, prevents the leaking of internal URLs via Referer header
robots.txt LOW LOW 14 Optional Websites that implement robots.txt must use it only for noted purposes
Subresource Integrity MEDIUM MEDIUM 15 Recommended‡ ‡ Only for websites that load JavaScript or stylesheets from foreign origins
X-Content-Type-Options LOW LOW 8 Recommended for all websites Websites should verify that they are setting the proper MIME types for all resources
X-Frame-Options HIGH LOW 5 Mandatory for all websites Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
X-XSS-Protection LOW MEDIUM 13 Mandatory for all new websites
Recommended for existing websites Manual testing should be done for existing websites, prior to implementation
--
注目の投稿
物流障害の影響により、現在一部商品の受注と出荷を停止しております。
【外部リンク】 https://www.sogo-seibu.co.jp/news/ https://edepart.sogo-seibu.jp/news/importantnotice1 【重要なお知らせ】物流障害によるサービス影響のお知らせ 2025年10月20日 ...
人気の投稿
-
n117 データアクセスに制限がかかっています 【外部リンク】 https://id.smt.docomo.ne.jp/src/utility/errorcode_list.html dアカウント設定のエラーコードと対処方法 エラーコード一覧(2019年7月...
-
パスキーを作成できませんでした パスキーを作成しようとして問題が発生しました。もう一度お試しください。 再試行 キャン セル 【外部リンク】 他の人はこちらも検索 パスキー端末設定 やり方 いつもパスキー設定 できない dアカウント パスキー設定 できない パスキー端末...
-
0x8024せ0え 0x8024ce0e Dell Firmware Update再起動が必要です dell inc 0x8024ce0e 【外部リンク】
-
iphoneを消去と解除の違い 【外部リンク】
-
mpa-acu13 すぐに使えなくなる 【外部リンク】