Young father, freelance, experienced dev, (favorite stack #RubyonRails & #ReactJS)
Security Tip #1
Security HTTP Headers
June 7th 2016
Protection against clickjacking by specifying which website can include your app in an iframe
* SAME-ORIGIN (default value in Rails)
* ALLOW-FROM https://example.com/
This turns on the Reflective XSS protection in browsers.
- 0 - Disable
- 1 - Enable (sanitize)
- 1; mode=block - Enables (block) (default Value in Rails)
- 1; report=http://site.com/report - Enable and Report
- nosniff - prevent browsers from MIME-sniffing a response away from the declared content-type (default Value in Rails)
HTTP Strict Transport Security (HSTS) ensures the browser never visits the HTTP version of a website.
This mitigates man-in-the-middle attacks where TLS can be stripped out.
Primarily, CSP is a set of rules to tell the browser to whitelist all asset sources that are alloswed.
This will reduce the number of Cross-Site Scripting (XSS) vectors by, for example, allowing only scripts from your domain or disallowing inline scripts
More about that in the next talk Security Tip #2
Useful links & tools
Security Tip #1 - Security Headers
By Dorian Lupu