Pushing Left, Like a Boss — Part 5.3 — Browser and Client-Side Hardening

By Tanya Janca (SheHacksPurple) on May 12, 2021

Disabling ‘Remember Me’ Features

Do Not Allow Caching of Sensitive Data

HTTPS Everywhere

I feel strongly about client-side hardening. — http://sector.ca/

Use Every Possible Security Header

Content-Security-Policy: default-src ‘self’; block-all-mixed-content;
Referrer-Policy: strict-origin-when-cross-origin
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Permitted-Cross-Domain-Policies: none
Access-Control-Allow-Origin: https://site-that-you-trust.com
Expect-CT: max-age=86400, enforce, report-uri=”https://myserver/report"
Feature-Policy: camera ‘none’; microphone ‘none’; speaker ‘self’; vibrate ‘none’; geolocation ‘none’; accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; encrypted-media ‘none’; gyroscope ‘none’; magnetometer ‘none’; midi ‘none’; payment ‘none’; picture-in-picture ‘none’; usb ‘none’; vr ‘none’; fullscreen *;
<httpRuntime enableVersionHeader=”false” />

A special note on the X-XSS-Protection header: This header is now considered legacy/deprecated. It has vulnerabilities within the header implementation itself. It is only used for backward compatibility, and unfortunately as of 2019 it is being attacked in older browsers. It is no longer advisable that we use this security header.

Categories: Blog