diff options
| author | Igor Drozdov <idrozdov@gitlab.com> | 2019-04-01 17:36:11 +0300 |
|---|---|---|
| committer | Igor Drozdov <idrozdov@gitlab.com> | 2019-04-01 17:36:11 +0300 |
| commit | 04bb35a4b562fd57b14c55645bb1848a50cdef56 (patch) | |
| tree | 1bd1ac2af6a5c088ac2529cdbccceeca402d3ebe /doc/development/new_fe_guide/development/security.md | |
| parent | ade207e575ab846f6d354aaccc1382a6e512dd0d (diff) | |
| parent | b8118a65d595040bfce2d83d5e38dd63ebfedb58 (diff) | |
| download | gitlab-ce-id-split-self-approval-restrictions.tar.gz | |
Merge branch 'master' into id-split-self-approval-restrictionsid-split-self-approval-restrictions
Diffstat (limited to 'doc/development/new_fe_guide/development/security.md')
| -rw-r--r-- | doc/development/new_fe_guide/development/security.md | 14 |
1 files changed, 0 insertions, 14 deletions
diff --git a/doc/development/new_fe_guide/development/security.md b/doc/development/new_fe_guide/development/security.md deleted file mode 100644 index 5bb38f17988..00000000000 --- a/doc/development/new_fe_guide/development/security.md +++ /dev/null @@ -1,14 +0,0 @@ -# Security - -## Avoid inline scripts and styles - -Inline scripts and styles should be avoided in almost all cases. In an effort to protect users from [XSS vulnerabilities](https://en.wikipedia.org/wiki/Cross-site_scripting), we will be disabling inline scripts using Content Security Policy. - -## Including external resources - -External fonts, CSS, and JavaScript should never be used with the exception of Google Analytics and Piwik - and only when the instance has enabled it. Assets should always be hosted and served locally from the GitLab instance. Embedded resources via `iframes` should never be used except in certain circumstances such as with ReCaptcha, which cannot be used without an `iframe`. - -## Resources for security testing - -- [Mozilla's HTTP Observatory CLI](https://github.com/mozilla/http-observatory-cli) -- [Qualys SSL Labs Server Test](https://www.ssllabs.com/ssltest/analyze.html) |