Security
Security is an important aspect of all modern web applications. Implementing good security practices help prevent and mitigate various security threats and keep the user's data safe. The checklist below includes the common recommendations and sanity checks that will greatly improve security of your web applications.
- Use encrypted protocols everywhere (HTTPS for web traffic, WSS for secure socket connection)
- Don’t build custom authentication system yourself, use tried and tested libraries instead
- Keep your dependencies up-to-date to prevent zero-day vulnerabilities
- Exclude admin and private URLs from indexing and crawling (using robots.txt)
- Don’t use iterable URLs (e.g. prefer
/users/[guid]or/users/[handle]instead of/users/[incremented-integer]) - Remove unused functionality instead of hiding it (with
display: none, for instance) - Use DDOS mitigation via a global caching proxy service like CloudFlare
- For apps containing sensitive data, consider implementing auto session termination after a period of inactivity or require addition password check for destructive actions
- Set
Cache-Control: no-store, max-age=0for non-public/non-static content to make sure that the sensitive user-specific data doesn’t remain cached on disk after a logout
- Don’t hardcode API keys and tokens, store them in the
.envfile instead - Don’t commit
.envfile to the repository. Alternatively, f you want everyone with access to the repo have access to all the secrets, you can encrypt & version.envfile using git-crypt - Don’t expose secret tokens from
.envfile to the client (make sure that you only access them in the server code, e.g. inside React server components orgetServerSideProps)
- Store session IDs and auth tokens in
SecureHttpOnlycookies, notlocalStorageorsessionStorage(also SameSite=Lax) - Scope cookies to a domain (and a path, if applicable)
- Sanitize all user input, especially the values that will be passed to
dangerouslySetInnerHTMLto prevent XSS attacks - Always use whitelisting over blacklisting, aka list values that are allowed instead of listing values that aren’t
- Use CAPTCHAs on sign-in and sign-up forms to prevent password enumeration
- Don’t use iFrames unless absolutely necessary (e.g. for third-party integrations)
- Disable iFrame embedding to prevent click-jacking attacks with
X-Frame-Optionsheader:
X-Frame-Options: "DENY"
Content-Security-Policy: default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self'; connect-src 'self';
It’s better to start with the most restrictive settings, and start loosening them as needed (e.g. allowing unsafe-inline styles when using styled components or whitelisting more domains when using 3rd party integrations)
- Disable access to browser features and APIs that aren’t used:
Feature-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none';
Permissions-Policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), camera=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), speaker=(), sync-xhr=(), usb=(), vr=();
⚠️
Feature-Policy header is being renamed to Permission-Policy, so in the future only the latter will be used.Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-XSS-Protection: 1; mode=block
- Disable forking for the repository
- Restrict & control access
- Protect production branch - prevent force push & deletion, require signed commits, require PR approval from code owners before merging
- Use minimally scoped credentials for running Github Actions
- Use Github Secrets for storing environment variables for Github Actions
- Don't reference values in Github Actions that can be set by users (e.g. PR title and body)
Last modified 3mo ago