【外部リンク】
https://infosec.mozilla.org/guidelines/web_security#table-of-contents
Table of Contents
Cheat Sheet
Transport Layer Security (TLS/SSL)
HTTPS
HTTP Strict Transport Security
HTTP Redirections
HTTP Public Key Pinning
Resource Loading
Content Security Policy
contribute.json
Cookies
Cross-origin Resource Sharing
CSRF Prevention
Referrer Policy
robots.txt
Subresource Integrity
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
Version History
Web Security Cheat Sheet
HTTPS MAXIMUM MEDIUM Mandatory Sites should use HTTPS (or other secure protocols) for all communications
Public Key Pinning LOW MAXIMUM -- Mandatory for maximum risk sites only Not recommended for most sites
Redirections from HTTP MAXIMUM LOW 3 Mandatory Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
Resource Loading MAXIMUM LOW 2 Mandatory for all websites Both passive and active resources should be loaded through protocols using TLS, such as HTTPS
Strict Transport Security HIGH LOW 4 Mandatory for all websites Minimum allowed time period of six months
TLS Configuration MEDIUM MEDIUM 1 Mandatory Use the most secure Mozilla TLS configuration for your user base, typically Intermediate
Content Security Policy HIGH HIGH 10 Mandatory for new websites
Recommended for existing websites Disabling inline script is the greatest concern for CSP implementation
Cookies HIGH MEDIUM 7 Mandatory for all new websites
Recommended for existing websites All cookies must be set with the Secure flag, and set as restrictively as possible
contribute.json LOW LOW 9 Mandatory for all new Mozilla websites
Recommended for existing Mozilla sites Mozilla sites should serve contribute.json and keep contact information up-to-date
Cross-origin Resource Sharing HIGH LOW 11 Mandatory Origin sharing headers and files should not be present, except for specific use cases
Cross-site Request Forgery Tokenization HIGH UNKNOWN 6 Varies Mandatory for websites that allow destructive changes
Unnecessary for all other websites
Most application frameworks have built-in CSRF tokenization to ease implementation
Referrer Policy LOW LOW 12 Recommended for all websites Improves privacy for users, prevents the leaking of internal URLs via Referer header
robots.txt LOW LOW 14 Optional Websites that implement robots.txt must use it only for noted purposes
Subresource Integrity MEDIUM MEDIUM 15 Recommended‡ ‡ Only for websites that load JavaScript or stylesheets from foreign origins
X-Content-Type-Options LOW LOW 8 Recommended for all websites Websites should verify that they are setting the proper MIME types for all resources
X-Frame-Options HIGH LOW 5 Mandatory for all websites Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
X-XSS-Protection LOW MEDIUM 13 Mandatory for all new websites
Recommended for existing websites Manual testing should be done for existing websites, prior to implementation
--
注目の投稿
【Windowsエラーログ】メッセージとエラーコードの早見表
【Windowsエラーログ】メッセージとエラーコードの早見表 イベントビューアーに記録されたエラーの簡易リファレンスです。 DefenderApiLogger の最大サイズ超過 (エラーコード: 0xC0000035) 状況: Windows Defenderのログバッファ(バッ...
人気の投稿
-
【現象】 以下の現象が発生しました 手順が正しくないか、申込操作の有効期限が過ぎております。 お手数をお掛けしますが、最初からお手続きください。 このページが表示される主な理由は以下の通りとなります。 ※複数のブラウザ、タブ、端末を使用した場合 ※操作途中で画面...
-
n117 データアクセスに制限がかかっています PS Vita エラーコード「N117」の解説:データアクセス制限の原因と解決策 PS Vitaを使用中に突然表示される「N117(データアクセスに制限がかかっています)」というエラー。これは主に、ネットワーク通信やPlay...
-
PS Vita / PS Vita TV のエラーコード PS Vita / PS Vita TV エラーコード完全ガイド:原因と解決策まとめ 1. ネットワーク・接続関連のエラー もっとも多いのが、PlayStation™Network(PSN)への接続や通信に関するエラー...
-
エラーコード 2.1.1 HRESULT Values 0x80040905 【外部リンク】 https://msdn.microsoft.com/en-us/library/cc704587.aspx Combining the fields of a...
-
【外部リンク】 https://support.nintendo.co.jp/app/answers/list/search/1/kw/%E3%82%A8%E3%83%A9%E3%83%BC%E3%82%B3%E3%83%BC%E3%83%89/search/1/p/8664...