awesome-frontend-security

awesome-frontend-security copied to clipboard

Contents

• Code
  • Linters
  • Sanitizers
  • Serializers
• Dependencies
• Headers
  • Content-Security-Policy
  • X-XSS-Protection
  • X-Frame-Options
• Articles
• Other lists

Code

• JavaScript Secure Coding Practices - A guide written for anyone who is using the JavaScript for web development.
• Security Policy - How to add a security policy to your Github repository.
• AJAX Security Cheatsheet - A starting point for AJAX security.

Linters

• eslint-plugin-security - ESLint rules for Node Security.
• eslint-plugin-no-unsanitized - ESLint rules to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike.
• eslint-config-sec - ESLint rules for writing safe and secure client code.

Sanitizers

• dompurify - XSS sanitizer for HTML, MathML and SVG
• sanitize-html - Clean up user-submitted HTML.

Serializers

• serialize-javascript - Serialize JavaScript safely - HTML characters and JS line terminators are escaped automatically.

Dependencies

• audit-ci - NPM and Yarn dependencies audit for CI/CD.
• dtrack-audit - OWASP Dependency Track API client for CI/CD.
• Github Automated Security Fixes - How to use automated or manual pull requests to easily update vulnerable dependencies.
• Vulnerable Dependency Management - About tools for detecting vulnerable third-party dependencies.

Headers

• Security Headers - Check your website's HTTP response headers for security.

Content-Security-Policy

📚Learn

• MDN - An article on MDN.
• CSP Is Dead, Long Live CSP! - On the Insecurity of Whitelists and the Future of Content Security Policy.
• Strict CSP - To get real value out of CSP, your policy must prevent the execution of untrusted scripts.

🧪Create

• Webpack CSP configuration - Webpack is capable of adding nonce(number used once) to all scripts that it loads.
• csp-html-webpack-plugin - Generates meta content for your Content Security Policy tag.
• CSP Hash Generator - Script and style hasher for script-src and style-src directives to disallow inline scripts and styles. More here.

🔍Validate

• CSP Evaluator - Paste your policy and check if its safe and strong enough.
• CSP Header Inspector - Validate your policies as served from the given URL.
• CSP Tester - Browser extension for testing Content Security Policy (CSP).

🤔Analyse

• CSP WTF? - Explanations for strange CSP Report notifications.

X-XSS-Protection

📚Learn

• MDN - An article on MDN.

X-Frame-Options

📚Learn

• MDN - An article on MDN.

Articles

• Trusted Types help prevent Cross-Site Scripting - About new browser API that might help obliterate DOM XSS.
• Cybersecurity threatscape - Positive Technologies' quarter report on cyber threats and recommendations on how to stay safe.
• The Most Common XSS Vulnerability in React.js Applications

Other lists

• CSP useful - A collection of parsers, examples and tips for Content Security Policy.
• Awesome Web Security - A curated list of Web Security materials and resources.

License