Simple ways to improve the security of a web app

Your Strict-Transport-Security definition is missing the "includeSubDomains" flag. STS is a lot more effective if you use that flag.<p>You should discuss how X-Frame-Options prevents sites legitimately loading your pages inside frames too. I believe Reddit does this amongst others in order to displays a small control panel at the top of the page. X-Frame-Options is appropriate for many sites, but perhaps not for blogs.<p>You should talk about how CSP prevents most bookmarklets from working. For example readability and instapaper. I really like CSP, but people should be made aware of this.

I wasn't expecting much from yet another "How to secure your website..." article, but those headers are completely new to me.

I came in swinging to tear apart yet another oblivious security article, but you actually taught me something.<p>Looking up X-Frame-Options and X-Content-Security-Policy now--thanks!

This is one of the best article I've seen in a long time! Great job Mike and best of luck with your new startup!

It's articles like this that make me doubt that I've "probably read enough"[1].<p>[1] <a href="http://news.ycombinator.com/item?id=3326210" rel="nofollow">http://news.ycombinator.com/item?id=3326210</a>

Chrome 15+ supports CSP. In 15 it uses an old syntax I believe but if you use 16+ then you should be able to use the same headers as in Firefox.<p>I didn't realize FF had CSP working as well. Thanks!

I may be going over old ground, but don't the CSP violations reports ( see <a href="https://developer.mozilla.org/en/Security/CSP/Using_CSP_violation_reports" rel="nofollow">https://developer.mozilla.org/en/Security/CSP/Using_CSP_viol...</a> ) open up another attack vector?<p>I know people who actually implement this are going to have their heads screwed on around the right way, but having a page where you know you can generate server processing, and that is potentially not going to have much security around it screams out to me to be a good place to start an attack from.<p>Especially as the spec is a bit vague about exactly what happens when (no head specified for example, doesn't say about including cookies or any other information). Also, fiesta.cc's CSP Report URI returns a response that says to keep the connection open.<p>And, if you manage to get a script injected to a popular page, the site itself acts as a distribution system to enable distribution to multiple users.<p>Something about this says it's not been thoroughly thought through to me.

I had never heard of these HTTP headers before. Thank you for the pointers.

Now only if we could combine this with improving the reliability of a web app.<p>From the comments it sounds like a great article, but I've been trying to read this for about 8 hours now with no luck.

<a href="http://www.theregister.co.uk/2011/06/21/startssl_security_breach/" rel="nofollow">http://www.theregister.co.uk/2011/06/21/startssl_security_br...</a><p>Yeah, fuck that. Like hell am I going to use a free CA as suggested. They have no incentive to keep things secure or in working order at all.<p>Great article otherwise though!