Security
Web security is the practice of protecting websites and their users from damage caused by malicious third parties, who are generally called attackers.
The kind of damage done can be reputational, financial, or even physical. It can target data that should be kept private to users, or actions that should be only made available to particular users. The motivations of attackers might be financial, political, or personal.
In this part of MDN we've written guides to help web developers understand how to protect their websites, and their users, against these attacks.
Attacks
The Attacks section includes guides to common attacks on websites. An attack is a specific technique that an attacker can use to harm websites or their users.
In this section, each guide describes an attack, or in some cases a class of related attacks. Each guide explains how the attack works, the conditions in which a website is vulnerable to it, and the methods to defend against it.
The attacks described include:
Defenses
The Defenses section includes guides to features or practices that you can use to protect yourself against various attacks. In general, there's a many-to-many relationship between attack and defenses. That is, a single defense can protect against multiple attacks, and defending against a single attack may require multiple defenses, so as to provide defense in depth.
In this section we document the following defenses:
- Certificate transparency
- Mixed content blocking
- Operational security
- Same-origin policy
- Secure contexts
- Subresource integrity
- Transport Layer Security (TLS)
- User activation
Note that not all defenses are described in this section: some, such as CSP or trusted types, are described inside the technology area of which they are a part.
Threat modeling
The Threat modeling section introduces a process that web developers can follow to develop a structured representation of the potential threats that their site faces, based on the features it provides and the way these features are implemented.
That is, threat modeling helps you understand which attacks you need to defend against.
Authentication
Authentication is the process of verifying that an entity — such as a user of a website — is who they claim to be. You'll most likely need to think about authentication if you want users to sign into your website.
If users can log into your website, there are typically things logged-in users can do, or data they can access, that you don't want to make generally available. This makes user account access one of the most valuable targets for attackers.
In this set of guides we'll look at the main techniques available for authenticating users on the web, and good practices for them. We describe four methods:
In this section we also outline good practices for session management, which is how a website remembers the signed-in status of a user.
HTTP Observatory
The HTTP Observatory tool enables you to scan your website to check whether it's following certain good security practices. Our Practical security implementation guides provide explanations of how to implement these practices, and the threats they defend against.