The OWASP Top 10 Proactive Controls are used in the development of web applications.
Ensure web applications utilize built-in browser security features to protect users from threats like cross-site scripting (XSS), clickjacking, and data leaks. For example, enforce security headers such as Content Security Policy (CSP) to prevent unauthorized script execution and X-Frame-Options to mitigate clickjacking attacks; Configure secure cookies with HttpOnly, Secure, and SameSite attributes to enhance session protection; Extend security measures beyond traditional browsers by applying appropriate HTTP headers for mobile apps, API clients, and smart devices; Continuously assess and update browser security configurations to defend against evolving client-side threats.
Implement security measures to harden browser behavior and mitigate risks such as information disclosure, XSS, clickjacking, and CSRF attacks. 1.Configure the Browser to Prevent Information Disclosure -Enforce security headers such as X-Content-Type-Options: nosniff and -Referrer-Policy to limit exposure of sensitive data. -Implement CSP (Content Security Policy) to control script execution and prevent data leaks. 2.Reduce the Potential Impact of XSS -Use CSP headers (Content-Security-Policy) to restrict script execution and block unauthorized inline scripts. -Sanitize and validate all user input before rendering it in the browser. -Implement HTTPOnly and Secure flags on cookies to prevent JavaScript-based session hijacking. 3.Prevent Clickjacking -Use the X-Frame-Options header (DENY or SAMEORIGIN) to block unauthorized iframe embedding. -Implement frame-busting scripts as a secondary protection mechanism. 4.Control the Browser’s Advanced Capabilities -Restrict clipboard access, geolocation, microphone, and camera permissions using the Feature-Policy header. -Enforce sandboxing for iframes to limit their execution capabilities. 5.Prevent CSRF Attacks -Use CSRF tokens for all state-changing requests (e.g., form submissions, API requests). -Enforce SameSite cookie attributes (Strict or Lax) to prevent unauthorized cross-origin requests. -Implement CORS policies that restrict cross-origin requests to trusted domains. By configuring browser security settings, enforcing security headers, and validating input, organizations can reduce attack surfaces and enhance web application security against client-side threats.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-12-08-01-01 | Configure the browser to prevent information disclosure | Set appropriate HTTP headers (e.g., X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security) to prevent sensitive information leakage through the browser, such as through content sniffing or insecure protocols. | Development | Security Engineers, Web Developers |
| SSS-02-12-08-01-02 | Reduce the potential impact of xss | Implement Content Security Policy (CSP) and sanitize user input to mitigate the risk of cross-site scripting (XSS) attacks. Limit the sources from which scripts can be executed. | Development | Security Teams, Web Developers |
| SSS-02-12-08-01-03 | Prevent clickjacking | Use the X-Frame-Options header or Content Security Policy (CSP) to prevent your website from being embedded in iframes, thereby blocking clickjacking attacks. | Development | Security Engineers, Web Developers |
| SSS-02-12-08-01-04 | Control the browser’s advanced capabilities | Use HTTP headers such as Feature-Policy (now part of Permissions-Policy) to control which browser features (e.g., geolocation, camera, microphone) are available to your web app, thereby reducing the potential attack surface. | Development | Security Engineers, Web Developers |
| SSS-02-12-08-01-05 | Prevent cross-site request forgery (csrf) attacks | Implement anti-CSRF tokens to protect your web application from CSRF attacks, ensuring that state-changing requests are made intentionally by authorized users. | Development | Security Engineers, Backend Developers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1849) OWASP Proactive Controls OWASP Proactive Controls |