Leaving slide mode.
    
      Security guidance for web developers
      Open Web Docs
      https://openwebdocs.org
      
        TPAC 2024
        Anaheim CA, USA
        hybrid meeting
        23–27 SEPTEMBER 2024
      
    
    
      Some background
      
        - 
          Secure the Web Forward, 2023: "documentation plays a major role in promoting security best
          practices and in helping web application developers understand
          security threats and mechanisms at their disposal"
        
- 
          Security Web Application Guidelines Community Group (SWAG CG): "The mission of this Community Group is to increase the overall
          security of web application development ... by writing security best
          practices for web developers and providing a platform for stakeholder
          collaboration." -
        
Current state of web security documentation
      
        - 
          MDN
          
            - Generally comprehensive reference documentation
- Guidance documentation is missing
 
- 
          OWASP
          
            - Great guidance, but *lots* for a web developer to digest
 
Where are web developers struggling and where can documentation help?
Selected topics (1)
      Security 101
      
        - 
          Fundamental things a developer can do, that have a big impact on the
          security of the site, such as:
          
            - Use HTTPS for everything
- Have a CSP
- Set cookie headers correctly...
 
- Relatively low-effort/high reward things
- 
          Partly(?) addressed by Chris Mills' work on
          Practical security implementation guides
          
        
Selected topics (2)
      Security considerations for Web APIs
      
        - For example, fetch()
- 
          Survey key Web APIs and ensure security considerations are documented
          on MDN
        
Selected topics (3)
      Frameworks/libraries
      
        - Should MDN recommend specific frameworks/libraries?
- And/or document criteria to help developers choose them
Selected topics (4)
      
        How can we help CSP gain more adoption with Web Developers (SWAG issue)
      
      
        - OWASP/Google guidance around strict (nonce/hash based) CSP
- Documentation on CSP tooling
Discussion
      
        - 
          How can better documentation help web developers secure their sites?
        
- 
          Feedback on the items presented here:
          
            - Security 101
- 
              Security considerations in reference docs (like
              fetch())
- Guidance for third-party library selection
- Updated CSP guidance, and CSP tooling documentation
 
- ...or other items not presented here?