One aspect that has been left without much discussion is the security of the web application. I am currently working on a reverse proxy to secure or provide the browser with security directives regarding the applications in the backends. One aspect that the HTTP Observatory does not like is the fact that I must currently have a http-response src-script ‘unsafe-inline’ directive, otherwise the app does not display correctly. Perhaps there is another approach that I have not discovered yet.
Does web 2.0 still require the same? Is there a plan to provide documentation on security best practices regarding CSP, clickjacking and the likes?
[quote=484009:@Louis Desjardins]One aspect that has been left without much discussion is the security of the web application. I am currently working on a reverse proxy to secure or provide the browser with security directives regarding the applications in the backends. One aspect that the HTTP Observatory does not like is the fact that I must currently have a http-response src-script ‘unsafe-inline’ directive, otherwise the app does not display correctly. Perhaps there is another approach that I have not discovered yet.
Does web 2.0 still require the same? Is there a plan to provide documentation on security best practices regarding CSP, clickjacking and the likes?[/quote]
This requirement hasnt changed. Without that directive, the following commands are disabled in JavaScript: