 |
update RANTS - jscancer - Javascript crap (relatively small) |
 |
git clone git://git.codemadness.org/jscancer |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit 8a5bab6d0d2f2666638b179fdf2f69c42ab32bd8 |
|
parent 73ad6fa6c717f460a74b02b26daae8add6a57c92 |
|
Author: Hiltjo Posthuma <[email protected]> |
|
Date: Sun, 21 Jan 2018 19:40:56 +0100 |
|
|
|
update RANTS |
|
|
|
Diffstat: |
|
M RANT_WEBTIPS | 40 ++++++++++++++++++++++++-----… |
|
|
|
1 file changed, 31 insertions(+), 9 deletions(-) |
|
--- |
|
diff --git a/RANT_WEBTIPS b/RANT_WEBTIPS |
|
@@ -114,25 +114,47 @@ Cookies / localStorage: |
|
- Don't use Javascript localStorage. |
|
|
|
|
|
-Sensitive data: |
|
-- If you serve sensitive data of users make sure your site support HTTPS and |
|
- your httpd is properly configured, there are good tools such as the SSLLabs |
|
- site to check this. A gratis certificate can be requested from letsencrypt. |
|
+TLS (HTTPS): |
|
+- Make sure to allow encryption of all resources on your site. |
|
+ It is especially important to protect HTML forms using TLS, but it is also |
|
+ important to protect any other resource because otherwise any resource could |
|
+ be MITM and affect the page content: for example injecting code into a |
|
+ webpage or serving a malicious image. |
|
|
|
- SSLLabs: https://www.ssllabs.com/ |
|
- Letsencrypt: https://letsencrypt.org/ |
|
+- So make sure your web server support HTTPS and your httpd is properly |
|
+ configured, there are good tools such as the SSLLabs site to check this. A |
|
+ gratis certificate can be requested from Letsencrypt. |
|
+ |
|
+ SSLLabs (check): https://www.ssllabs.com/ |
|
+ Letsencrypt: https://letsencrypt.org/ |
|
|
|
|
|
Advertisements: |
|
- Preferably don't use advertisements, at the very least don't serve it from an |
|
- external ad-network. Serve the ads from an url that the user can be able to |
|
- block such as: http://yourdomain/ads/*. |
|
+ external ad-network. Serve the ads from an url that the user can block easily |
|
+ such as: http://yourdomain/ads/*. |
|
- If the user blocks your advertisements don't show a nagscreen notification. |
|
- Don't track user behaviour, at the very least not if he has set the "DNT" |
|
HTTP header. |
|
|
|
|
|
+Tracking: |
|
+- Don't use Google Analytics or similar spy networks. Please use a custom HTTPd |
|
+ log analyzer or something like it. |
|
+- Logging can be useful for security and debugging purposes, but make sure to |
|
+ have some sort of logging and data retention policy. |
|
+ |
|
+ |
|
+Maps: |
|
+- Instead of Google Maps you can use OpenStreetMap or simply a static image. |
|
+ Google uses tracking in many of their applications. |
|
+ |
|
+ |
|
Use of content-delivery networks (CDNs): |
|
-- Don't use CDN's such as cloudfront, cloudflare, at the very least don't serve |
|
+- Don't use CDN's such as Cloudfront, Cloudflare, at the very least don't serve |
|
Javascript from them. Cloudflare is also known to block Tor traffic. Tor is |
|
obviously very useful for many things. |
|
+ When you use a third-party CDN you effectively give away the control of |
|
+ your site and make it untrusted for all clients. Some sites use socalled |
|
+ Subresource Integrity headers, but these are just another ugly standard/hack |
|
+ in the ugly web. |
