The next cheat canvas serves equally a guide for implementing HTML five inward a secure fashion.
Communication APIs
Web Messaging
Web Messaging (also known equally Cross Domain Messaging) provides a agency of messaging betwixt documents from dissimilar origins inward a way that is to a greater extent than ofttimes than non safer than the multiple hacks used inward the past times to arrive at this task. However, at that spot are notwithstanding only about recommendations to decease on inward mind:
- When posting a message, explicitly terra firma the expected rootage equally the 2d declaration to postMessage rather than * inward guild to forestall sending the message to an unknown rootage later on a redirect or another agency of the target window's rootage changing.
- The receiving page should always:
- Check the origin attribute of the sender to verify the information is originating from the expected location.
- Perform input validation on the data attribute of the effect to ensure that it's inward the desired format.
- Don't assume y'all convey command over the data attribute. Influenza A virus subtype H5N1 unmarried Cross Site Scripting flaw inward the sending page allows an assaulter to transportation messages of whatever given format.
- Both pages should entirely translate the exchanged messages equally data. Never evaluate passed messages equally code (e.g. via eval()) or insert it to a page DOM (e.g. via innerHTML), equally that would do a DOM-based XSS vulnerability. For to a greater extent than information run into DOM based XSS Prevention Cheat Sheet.
- To assign the information value to an element, instead of using a insecure method similar element.innerHTML = data;, utilization the safer option: element.textContent = data;
- Check the rootage properly precisely to check the FQDN(s) y'all expect. Note that the next code: if(message.orgin.indexOf(".owasp.org")!=-1) { /* ... */ } is rattling insecure in addition to volition non convey the desired behaviour equally www.owasp.org.attacker.com volition match.
- If y'all demand to embed external content/untrusted gadgets in addition to allow user-controlled scripts (which is highly discouraged), regard using a JavaScript rewriting framework such equally Google Caja or cheque the information on sandboxed frames.
Cross Origin Resource Sharing
- Validate URLs passed to XMLHttpRequest.open. Current browsers allow these URLs to travel cross domain; this behaviour tin atomic number 82 to code injection past times a remote attacker. Pay extra attending to absolute URLs.
- Ensure that URLs responding alongside Access-Control-Allow-Origin: * do non include whatever sensitive content or information that mightiness assistance assaulter inward farther attacks. Use the Access-Control-Allow-Origin header entirely on chosen URLs that demand to travel accessed cross-domain. Don't utilization the header for the whole domain.
- Allow entirely selected, trusted domains inward the Access-Control-Allow-Origin header. Prefer whitelisting domains over blacklisting or allowing whatever domain (do non utilization * wildcard nor blindly render the Origin header content without whatever checks).
- Keep inward take away heed that CORS does non forestall the requested information from going to an unauthenticated location. It's notwithstanding of import for the server to perform park CSRF prevention.
- While the RFC recommends a pre-flight asking alongside the OPTIONS verb, electrical flow implementations mightiness non perform this request, thus it's of import that "ordinary" (GET in addition to POST) requests perform whatever access command necessary.
- Discard requests received over patently HTTP alongside HTTPS origins to forestall mixed content bugs.
- Don't rely entirely on the Origin header for Access Control checks. Browser ever sends this header inward CORS requests, but may travel spoofed exterior the browser. Application-level protocols should travel used to protect sensitive data.
WebSockets
- Drop backward compatibility inward implemented client/servers in addition to utilization entirely protocol versions higher upwards hybi-00. Popular Hixie-76 version (hiby-00) in addition to older are outdated in addition to insecure.
- The recommended version supported inward latest versions of all electrical flow browsers is RFC 6455 (supported past times Firefox 11+, Chrome 16+, Safari 6, Opera 12.50, in addition to IE10).
- While it's relatively tardily to tunnel TCP services through WebSockets (e.g. VNC, FTP), doing thus enables access to these tunneled services for the in-browser assaulter inward instance of a Cross Site Scripting attack. These services mightiness also travel called straight from a malicious page or program.
- The protocol doesn't stimulate potency and/or authentication. Application-level protocols should stimulate that separately inward instance sensitive information is beingness transferred.
- Process the messages received past times the websocket equally data. Don't endeavor to assign it straight to the DOM nor evaluate equally code. If the answer is JSON, never utilization the insecure eval() function; utilization the rubber choice JSON.parse() instead.
- Endpoints exposed through the ws:// protocol are easily reversible to patently text. Only wss:// (WebSockets over SSL/TLS) should travel used for protection against Man-In-The-Middle attacks.
- Spoofing the customer is possible exterior a browser, thus the WebSockets server should travel able to stimulate incorrect/malicious input. Always validate input coming from the remote site, equally it mightiness convey been altered.
- When implementing servers, cheque the Origin: header inward the Websockets handshake. Though it mightiness travel spoofed exterior a browser, browsers ever add together the Origin of the page that initiated the Websockets connection.
- As a WebSockets customer inward a browser is accessible through JavaScript calls, all Websockets communication tin travel spoofed or hijacked through Cross Site Scripting. Always validate information coming through a WebSockets connection.
Server-Sent Events
- Validate URLs passed to the EventSource constructor, fifty-fifty though entirely same-origin URLs are allowed.
- As mentioned before, procedure the messages (event.data) equally information in addition to never evaluate the content equally HTML or script code.
- Always cheque the rootage attribute of the message (event.origin) to ensure the message is coming from a trusted domain. Use a whitelist approach.
Storage APIs
Local Storage
- Also known equally Offline Storage, Web Storage. Underlying storage machinery may vary from 1 user agent to the next. In other words, whatever authentication your application requires tin travel bypassed past times a user alongside local privileges to the machine on which the information is stored. Therefore, it's recommended non to shop whatever sensitive information inward local storage.
- Use the object sessionStorage instead of localStorage if persistent storage is non needed. sessionStorage object is available entirely to that window/tab until the window is closed.
- A unmarried Cross Site Scripting tin travel used to bag all the information inward these objects, thus over again it's recommended non to shop sensitive information inward local storage.
- A unmarried Cross Site Scripting tin travel used to charge malicious information into these objects too, thus don't regard objects inward these to travel trusted.
- Pay extra attending to “localStorage.getItem” in addition to “setItem” calls implemented inward HTML5 page. It helps inward detecting when developers build solutions that seat sensitive information inward local storage, which is a bad practice.
- Do non shop session identifiers inward local storage equally the information is ever accesible past times JavaScript. Cookies tin mitigate this take away chances using the httpOnly flag.
- There is no way to limit the visibility of an object to a specific path similar alongside the attribute path of HTTP Cookies, every object is shared inside an rootage in addition to protected alongside the Same Origin Policy. Avoid host multiple applications on the same origin, all of them would part the same localStorage object, utilization dissimilar subdomains instead.
Client-side databases
- On Nov 2010, the W3C announced Web SQL Database (relational SQL database) equally a deprecated specification. Influenza A virus subtype H5N1 novel measure Indexed Database API or IndexedDB (formerly WebSimpleDB) is actively developed, which provides key/value database storage in addition to methods for performing advanced queries.
- Underlying storage mechanisms may vary from 1 user agent to the next. In other words, whatever authentication your application requires tin travel bypassed past times a user alongside local privileges to the machine on which the information is stored. Therefore, it's recommended non to shop whatever sensitive information inward local storage.
- If utilized, WebDatabase content on the customer side tin travel vulnerable to SQL injection in addition to needs to convey proper validation in addition to parameterization.
- Like Local Storage, a unmarried Cross Site Scripting tin travel used to charge malicious information into a spider web database equally well. Don't regard information inward these to travel trusted.
Geolocation
- The Geolocation RFC recommends that the user agent inquire the user's permission earlier calculating location. Whether or how this determination is remembered varies from browser to browser. Some user agents require the user to see the page over again inward guild to plough off the powerfulness to larn the user's place without asking, thus for privacy reasons, it's recommended to require user input earlier calling getCurrentPosition or watchPosition.
Web Workers
- Web Workers are allowed to utilization XMLHttpRequest object to perform in-domain in addition to Cross Origin Resource Sharing requests. See relevant department of this Cheat Sheet to ensure CORS security.
- While Web Workers don't convey access to DOM of the calling page, malicious Web Workers tin utilization excessive CPU for computation, leading to Denial of Service status or abuse Cross Origin Resource Sharing for farther exploitation. Ensure code inward all Web Workers scripts is non malevolent. Don't allow creating Web Worker scripts from user supplied input.
- Validate messages exchanged alongside a Web Worker. Do non endeavor to telephone commutation snippets of Javascript for evaluation e.g. via eval() equally that could innovate a DOM Based XSS vulnerability.
Sandboxed frames
- Use the sandbox attribute of an iframe for untrusted content.
- The sandbox attribute of an iframe enables restrictions on content inside a iframe. The next restrictions are active when the sandbox attribute is set:
- All markup is treated equally beingness from a unique origin.
- All forms in addition to scripts are disabled.
- All links are prevented from targeting other browsing contexts.
- All features that triggers automatically are blocked.
- All plugins are disabled.
It is possible to convey a
fine-grained control over
iframe capabilities using the value of the
sandbox attribute.
- In old versions of user agents where this characteristic is non supported, this attribute volition travel ignored. Use this characteristic equally an additional layer of protection or cheque if the browser supports sandboxed frames in addition to entirely exhibit the untrusted content if supported.
- Apart from this attribute, to forestall Clickjacking attacks in addition to unsolicited framing it is encouraged to utilization the header X-Frame-Options which supports the deny in addition to same-origin values. Other solutions similar framebusting if(window!== window.top) { window.top.location = location; } are non recommended.
Offline Applications
- Whether the user agent requests permission to the user to shop information for offline browsing in addition to when this cache is deleted varies from 1 browser to the next. Cache poisoning is an number if a user connects through insecure networks, thus for privacy reasons it is encouraged to require user input earlier sending whatever manifest file.
- Users should entirely cache trusted websites in addition to laid upwards clean the cache later on browsing through opened upwards or insecure networks.
Progressive Enhancements in addition to Graceful Degradation Risks
- The best do forthwith is to decide the capabilities that a browser supports in addition to augment alongside only about type of substitute for capabilities that are non straight supported. This may hateful an onion-like element, e.g. falling through to a Flash Player if the <video> tag is unsupported, or it may hateful additional scripting code from diverse sources that should travel code reviewed.
X-Frame-Options
- This header tin travel used to forestall ClickJacking inward modern browsers.
- Use the same-origin attribute to allow beingness framed from urls of the same rootage or deny to block all. Example: X-Frame-Options: DENY
- For to a greater extent than information on Clickjacking Defense delight run into the Clickjacking Defense Cheat Sheet.
X-XSS-Protection
- Enable XSS filter (only industrial plant for Reflected XSS).
- Example: X-XSS-Protection: 1; mode=block
Strict Transport Security
- Force every browser asking to travel sent over TLS/SSL (this tin forestall SSL strip attacks).
- Use includeSubDomains.
- Example: Strict-Transport-Security: max-age=8640000; includeSubDomains
Content Security Policy
- Policy to define a laid of content restrictions for spider web resources which aims to mitigate spider web application vulnerabilities such equally Cross Site Scripting.
- Example: Content-Security-Policy: allow 'self'; img-src *; object-src media.example.com; script-src js.example.com
Origin
- Sent past times CORS/WebSockets requests.
- There is a proposal to utilization this header to mitigate CSRF attacks, but is non yet implemented past times vendors for this purpose.