If I were you, I'd add rel="noopener noreferrer" to links to external urls so people can't exploit window.opener. Not very serious, but worth doing. Read more
I know, I know. Everybody hates when others tell them they are missing security headers. Is there any reason why the X-XSS-Protection header is not set? There are a few others I'd add too, but these depend on how the site is set up:
Strict-Transport-Security: Require use of HTTPS
Content-Security-Policy: Mitigates some XSS attacks
Public-Key-Pins: Prevents MiTM attacks using rouge X.509 certs if the CA is compromised
X-Frame-Options: Stops clickjacking attacks
X-Content-Type-Options: Stops browser from MIME-sniffing
If I were you, I'd add
rel="noopener noreferrer"
to links to external urls so people can't exploitwindow.opener
. Not very serious, but worth doing. Read moreI know, I know. Everybody hates when others tell them they are missing security headers. Is there any reason why the
X-XSS-Protection
header is not set? There are a few others I'd add too, but these depend on how the site is set up:Strict-Transport-Security
: Require use of HTTPSContent-Security-Policy
: Mitigates some XSS attacksPublic-Key-Pins
: Prevents MiTM attacks using rouge X.509 certs if the CA is compromisedX-Frame-Options
: Stops clickjacking attacksX-Content-Type-Options
: Stops browser from MIME-sniffing