Security guidance for web developers

Some background

• Secure the Web Forward, 2023: "documentation plays a major role in promoting security best practices and in helping web application developers understand security threats and mechanisms at their disposal"
• Security Web Application Guidelines Community Group (SWAG CG): "The mission of this Community Group is to increase the overall security of web application development ... by writing security best practices for web developers and providing a platform for stakeholder collaboration." -

Current state of web security documentation

• MDN
  • Generally comprehensive reference documentation
  • Guidance documentation is missing
• OWASP
  • Great guidance, but *lots* for a web developer to digest
Where are web developers struggling and where can documentation help?

Selected topics (1)

Security 101

• Fundamental things a developer can do, that have a big impact on the security of the site, such as:
  • Use HTTPS for everything
  • Have a CSP
  • Set cookie headers correctly...
• Relatively low-effort/high reward things
• Partly(?) addressed by Chris Mills' work on Practical security implementation guides

Selected topics (2)

Security considerations for Web APIs

• For example, fetch()
• Survey key Web APIs and ensure security considerations are documented on MDN

Selected topics (3)

Frameworks/libraries

• Should MDN recommend specific frameworks/libraries?
• And/or document criteria to help developers choose them

Selected topics (4)

How can we help CSP gain more adoption with Web Developers (SWAG issue)

• OWASP/Google guidance around strict (nonce/hash based) CSP
• Documentation on CSP tooling

Discussion

• How can better documentation help web developers secure their sites?
• Feedback on the items presented here:
  • Security 101
  • Security considerations in reference docs (like fetch())
  • Guidance for third-party library selection
  • Updated CSP guidance, and CSP tooling documentation
• ...or other items not presented here?