Modern solutions against cross-site attacks| Frederik Braun
This document defines the HTTP Cookie and Set-Cookie header fields. These header fields can be used by HTTP servers to store state (called cookies) at HTTP user agents, letting the servers maintain a stateful session over the mostly stateless HTTP protocol. Although cookies have many historical infelicities that degrade their security and privacy, the Cookie and Set-Cookie header fields are widely used on the Internet. This document obsoletes RFC 6265.| IETF Datatracker
This blog post has first appeared on the Mozilla Attack & Defense blog and was co-authored with Christoph Kerschbaumer and Tom Ritter In a recent academic publication titled Hardening Firefox against Injection Attacks (to appear at SecWeb – Designing Security for the Web) we describe techniques which we have incorporated into Firefox …| Frederik Braun
Update: In July 2019, Chrome developers announced that they are going to remove XSSAuditor. You can follow their bug tracker here. Recently, Google Chrome changed the default mode for their Cross-Site Scripting filter XSSAuditor from block to filter. This means that instead of blocking the page load completely, XSSAuditor will …| Frederik Braun
HTML Design Principles| www.w3.org
Learn to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by using SameSite's Lax and Strict values to improve protection against CSRF attacks. Specifying the new None attribute lets you explicitly mark your cookies for cross-site usage.| web.dev
Today we are announcing our intent to phase out non-secure HTTP. There's pretty broad agreement that HTTPS is the way forward for the web. In recent months, there have been ...| Mozilla Security Blog