This notion of “being secure on the web” is a statement that has many nuances and flavours. When a client of mine or learner through Pluralsight asks about web security and what they should do, it is never a black and white answer. It is always “it depends”, because it really does. Finding a way to implement the security measures that make sense for a particular product or project is never that simple.
However, there are a bunch of things you can do to move your website towards that “more secure” end of the security spectrum. These modern patterns include
- Subresource integrity (SRI) checking
- Content security policies (CSP) and exceptions
- CSP reporting
- Cross site scripting auditing (XSS)
- Certificate authority authentication (CAA)
- Http Strict Transport Security (HSTS)
That is a lot of acronyms in an industry that don’t need any more (really, we don’t). These tools and techniques are crucial in being on top of your web security, which is why my good mate Troy Hunt and myself sat down in February 2018 and recorded a new Pluralsight course.
This course is exceptionally relevant if you are developing any kind of web project, whether fresh or legacy. Most of the elements in this course can be used on any web project and retrofitted with little investment and great benefit. And it is only 1.5 hours, so perfect for your commute.