JavaScript Security

  1. Server-Side Defenses for Client-Side Security
    1. HTTP Security Headers
      1. X-Content-Type-Options
        1. Preventing MIME Type Sniffing
          1. nosniff Directive
          2. X-Frame-Options
            1. Denying Framing
              1. Allowing Framing from Trusted Origins
                1. Relation to CSP frame-ancestors
                2. Strict-Transport-Security (HSTS)
                  1. Enforcing HTTPS
                    1. Preload Lists
                      1. includeSubDomains Directive
                      2. Referrer-Policy
                        1. Controlling Referrer Information
                          1. Policy Options and Implications
                            1. Privacy Considerations
                            2. X-XSS-Protection (Deprecated)
                              1. Legacy XSS Filters
                                1. Modern Alternatives
                                2. Expect-CT
                                  1. Certificate Transparency
                                    1. Enforcement and Reporting
                                  2. Session Management
                                    1. Secure Session Tokens
                                      1. Session Fixation Prevention
                                        1. Session Timeout Policies
                                          1. Cross-Tab Session Handling

                                        Previous

                                        4. Browser Security Policies and Features

                                        Go to top

                                        Next

                                        6. Third-Party Code and Supply Chain Security