Product SiteDocumentation Site

3.2.9. Guidelines and recommendations

Following are general recommendations based on previous sections regarding client side security:
Avoid JSONP pattern for cross-origin resource sharing
JSONP pattern emerged as a workaround of Same Origin Policy in case web application needs to share resources across domains. Such approach creates a big attack surface and JSONP hijacking is dangerous even for application that don't use JSONP pattern, but return JavaScript content on GET requests (see Section, “JSON with padding (JSONP)”).
Use SSL for all connections and use HSTS to enforce it
Using non-SSL connection is a serious weakness of web application with regards to network attackers. Enforcing SSL connection by redirection is often insufficient too, and it is desirable to add HSTS header to SSL enabled web applications (see Section 3.2.4, “HTTP Strict Transport Security”).
Use Content Security Policy
Content Security Policy is quickly becoming standardized and provides a robust solution against XSS attacks and untrusted content loaded in the context of web page in general. Adopting it requires a web application to be compliant and enforces already accepted good practices with regards to script inlining (see Section 3.2.3, “Content Security Policy (CSP)”).
Use experimental security related headers for additional hardening
Several non-standard HTTP headers that control implementation-specific behaviour of some user agents can be used to provide additional hardening of web application. These include X-Frame-Options, X-XSS-Protection and X-Content-Type-Options (see Section 3.2.7, “X-Content-Type-Options”). In case of CSP X-WebKit-CSP and X-Content-Security-Policy can be used to provide better compatibility with older Mozilla and WebKit-based browsers (see Section 3.2.3, “Content Security Policy (CSP)”).