With so many new APIs came with HTML5, new web security challenges with it. There are few new security solutions we can use to secure our websites.
- Strict-Transport-Security: max-age=3600; includeSubDomains
- Secure and HttpOnly Cookie attributes
- Content-Security-Policy: policy: Defines the origin of all scripts and images. It even disables all inline scripts and styles. So, even if somehow through comments etc few script got injected, this security http header will deactivates those threats. Policy value can be any of CSP policy: script-src, style-src, connect-src, font-src, frame-src, img-src, media-src, and object-src. So, we can define source for these and those will be honored. Example:
Content-Security-Policy: default-src: 'self'; script-src: https://newsviews.satya-weblog.com;
- Instead of JSONP, use of
Access-Control-Allow-Origin: allowed originscalled cross origin resource sharing
- IFRAME within Sandbox