If you are going to be using Web Crypto in your application you better also get the basics of Web Security in your application taken care of. This is a list of resources that are useful when looking at the security of a web application.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as "SSL", are cryptographic protocols that provide communications security over a computer network.
- SSL Labs
- Mozilla TLS Observatory
- Mozilla SSL Configuration Generator
- Let's Encrypt
- SSLMate CertSpotter
- Moving towards a more secure web
- acme.sh
Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
- Google CSP Evaluator
- CSP Cheat Sheet
- CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy
- Migrating from HTTP to HTTPS? Ease the pain with CSP and HSTS!
- SecurityHeaders.io
- Level 1 RFC
- Level 2 RFC
- Level 3 RFC
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which is necessary to protect secure HTTPS websites against downgrade attacks, and which greatly simplifies protection against cookie hijacking.
- Using security features to do bad things
- Testing the HSTS preload process
- SecurityHeaders.io
- Migrating from HTTP to HTTPS? Ease the pain with CSP and HSTS!
- RFC
Subresource Integrity (SRI) is a computer security standard introduced to enable user agents to verify that a fetched resource has been delivered without unexpected manipulation.
To improve the protection of web applications against clickjacking, this document describes the X-Frame-Options HTTP header field, which declares a policy, communicated from the server to the client browser, regarding whether the browser may display the transmitted content in frames that are part of other web pages.
In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts) on a web page to be requested from another domain outside the domain from which the resource originated. A web page may freely embed images, stylesheets, scripts, iframes, videos.
The window.postMessage method safely enables cross-origin communication.