Web Security
A good rule for web security is "You can never be too cautious. If you made it, double-check it anyway. If someone else made it, assume it's dangerous until proven otherwise."
Type of Attacks
- Click-Jacking
- Session hijacking
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF / XSRF)
Read More: https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks
Iframe Security
- Use HTTPS to reduce chances of content tampering during transit, and to prevent embedded content from accessing parent document, and vice versa.
- Use
sandboxattribute gives embedded content only the permissions needed. Never add bothallow-scriptsandallow-same-originto sandbox attribute. - Send
X-Frame-Optionsheader to prevent other websites from embedding your content.
Read More: https://blog.mozilla.org/security/2013/12/12/on-the-x-frame-options-security-header/
CSP
Content Security Policy provides a set of HTTP Headers that allows website administrators to control resources the user agent is allowed to load for a given page.
Content-Security-Policy: <directive> <value> <host>;
Content-Security-Policy: default-src 'self' http://example.com;
connect-src 'none';
Read more: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy