diff options
author | Clement Ho <ClemMakesApps@gmail.com> | 2018-03-13 13:09:37 -0500 |
---|---|---|
committer | Clement Ho <ClemMakesApps@gmail.com> | 2018-03-13 13:09:37 -0500 |
commit | 736b4ecf8efa034d95923e8741fb0e31b0d15bfe (patch) | |
tree | 96ed63e408c2ac24cc704a6b5a48b3497ed01f16 /doc/development/new_fe_guide/development/security.md | |
parent | 2e5de941392c8463a5e15e9f8cb3a3ab147b656d (diff) | |
parent | 8f73ddd896dad7bd66d9c96dafcc4311ce272447 (diff) | |
download | gitlab-ce-add-csslab.tar.gz |
Merge branch 'master' into add-csslabadd-csslab
Diffstat (limited to 'doc/development/new_fe_guide/development/security.md')
-rw-r--r-- | doc/development/new_fe_guide/development/security.md | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/doc/development/new_fe_guide/development/security.md b/doc/development/new_fe_guide/development/security.md index debda7de0c6..5bb38f17988 100644 --- a/doc/development/new_fe_guide/development/security.md +++ b/doc/development/new_fe_guide/development/security.md @@ -1,3 +1,14 @@ # Security -> TODO: Add content +## Avoid inline scripts and styles + +Inline scripts and styles should be avoided in almost all cases. In an effort to protect users from [XSS vulnerabilities](https://en.wikipedia.org/wiki/Cross-site_scripting), we will be disabling inline scripts using Content Security Policy. + +## Including external resources + +External fonts, CSS, and JavaScript should never be used with the exception of Google Analytics and Piwik - and only when the instance has enabled it. Assets should always be hosted and served locally from the GitLab instance. Embedded resources via `iframes` should never be used except in certain circumstances such as with ReCaptcha, which cannot be used without an `iframe`. + +## Resources for security testing + +- [Mozilla's HTTP Observatory CLI](https://github.com/mozilla/http-observatory-cli) +- [Qualys SSL Labs Server Test](https://www.ssllabs.com/ssltest/analyze.html) |