I keep forgetting these, so I wrote a small summary for my own reference.
HSTS
HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections.
In layman’s terms: Force HTTPS on a given domain.
This form is used to submit domains for inclusion in Chrome’s HTTP Strict Transport Security (HSTS) preload list. This is a list of sites that are hardcoded into Chrome as being HTTPS only.
Most major browsers (Chrome, Firefox, Opera, Safari, IE 11 and Edge) also have HSTS preload lists based on the Chrome list. (See the HSTS compatibility matrix.)
If you add your website to that list, major browsers will honor it and only use HTTPS for your domain.
Some TLDs enforce HTTPS
through HSTS, some popular ones are .app
and .dev
.
Here is a more comprehensive list.
HSTS
is fire-and-forget, you’ll usually only need to worry about it once,
when configuring a SSL certificate (HTTPS) for your domain or subdomains.
CSP
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.
CSP can be configured in at least two distinct ways:
- Web server: return the
Content-Security-Policy
HTTP header:
Content-Security-Policy: default-src 'self'; img-src https://*; child-src 'none';
- HTML
<meta>
tag:
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; img-src https://*; child-src 'none';">
CSP
is something to worry about at the application level. For example,
miniflux to fetch resources
(fonts) from another domain (Google Fonts).
CORS
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.
CORS can be configured via web server: return the Access-Control-Allow-Origin
HTTP header:
Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: http://example.com:8080
CORS
is something to worry about at the application level. For example,
https://keep.google.com/ ⟷ https://google.com/ cookies.
CSRF
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
CSRF
is something to be aware of and to watch out for.
OWASP has some additional
resources on it.