Web Security Cheat Sheet

【外部リンク】
https://infosec.mozilla.org/guidelines/web_security#table-of-contents
Table of Contents
Cheat Sheet
Transport Layer Security (TLS/SSL)
HTTPS
HTTP Strict Transport Security
HTTP Redirections
HTTP Public Key Pinning
Resource Loading
Content Security Policy
contribute.json
Cookies
Cross-origin Resource Sharing
CSRF Prevention
Referrer Policy
robots.txt
Subresource Integrity
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
Version History


Web Security Cheat Sheet
HTTPS MAXIMUM MEDIUM Mandatory Sites should use HTTPS (or other secure protocols) for all communications
Public Key Pinning LOW MAXIMUM -- Mandatory for maximum risk sites only Not recommended for most sites
Redirections from HTTP MAXIMUM LOW 3 Mandatory Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
Resource Loading MAXIMUM LOW 2 Mandatory for all websites Both passive and active resources should be loaded through protocols using TLS, such as HTTPS
Strict Transport Security HIGH LOW 4 Mandatory for all websites Minimum allowed time period of six months
TLS Configuration MEDIUM MEDIUM 1 Mandatory Use the most secure Mozilla TLS configuration for your user base, typically Intermediate
Content Security Policy HIGH HIGH 10 Mandatory for new websites
Recommended for existing websites Disabling inline script is the greatest concern for CSP implementation
Cookies HIGH MEDIUM 7 Mandatory for all new websites
Recommended for existing websites All cookies must be set with the Secure flag, and set as restrictively as possible
contribute.json LOW LOW 9 Mandatory for all new Mozilla websites
Recommended for existing Mozilla sites Mozilla sites should serve contribute.json and keep contact information up-to-date
Cross-origin Resource Sharing HIGH LOW 11 Mandatory Origin sharing headers and files should not be present, except for specific use cases
Cross-site Request Forgery Tokenization HIGH UNKNOWN 6 Varies Mandatory for websites that allow destructive changes
Unnecessary for all other websites
Most application frameworks have built-in CSRF tokenization to ease implementation
Referrer Policy LOW LOW 12 Recommended for all websites Improves privacy for users, prevents the leaking of internal URLs via Referer header
robots.txt LOW LOW 14 Optional Websites that implement robots.txt must use it only for noted purposes
Subresource Integrity MEDIUM MEDIUM 15 Recommended‡ ‡ Only for websites that load JavaScript or stylesheets from foreign origins
X-Content-Type-Options LOW LOW 8 Recommended for all websites Websites should verify that they are setting the proper MIME types for all resources
X-Frame-Options HIGH LOW 5 Mandatory for all websites Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
X-XSS-Protection LOW MEDIUM 13 Mandatory for all new websites
Recommended for existing websites Manual testing should be done for existing websites, prior to implementation