From 8f17a25c5b869d4f3e224d774fb352e59ba1a52a Mon Sep 17 00:00:00 2001
From: Clement Ho <ClemMakesApps@gmail.com>
Date: Wed, 7 Mar 2018 14:39:29 -0600
Subject: Add frontend security documentation

---
 doc/development/new_fe_guide/development/security.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/doc/development/new_fe_guide/development/security.md b/doc/development/new_fe_guide/development/security.md
index debda7de0c6..5bb38f17988 100644
--- a/doc/development/new_fe_guide/development/security.md
+++ b/doc/development/new_fe_guide/development/security.md
@@ -1,3 +1,14 @@
 # Security
 
-> TODO: Add content
+## Avoid inline scripts and styles
+
+Inline scripts and styles should be avoided in almost all cases. In an effort to protect users from [XSS vulnerabilities](https://en.wikipedia.org/wiki/Cross-site_scripting), we will be disabling inline scripts using Content Security Policy.
+
+## Including external resources
+
+External fonts, CSS, and JavaScript should never be used with the exception of Google Analytics and Piwik - and only when the instance has enabled it. Assets should always be hosted and served locally from the GitLab instance. Embedded resources via `iframes` should never be used except in certain circumstances such as with ReCaptcha, which cannot be used without an `iframe`.
+
+## Resources for security testing
+
+- [Mozilla's HTTP Observatory CLI](https://github.com/mozilla/http-observatory-cli)
+- [Qualys SSL Labs Server Test](https://www.ssllabs.com/ssltest/analyze.html)
-- 
cgit v1.2.1