Introdução a Segurança na Web

Um guia para desenvolvedores sobre CORS, CSP, HSTS e as siglas encontradas em Segurança na Web!

Foto de Jose Fontano no Unsplash

⭐️️ Créditos

Dois conceitos principais de segurança

1. Ninguém está 100% seguro

2. Uma camada de proteção não é suficiente

Cross-Origin Resource Sharing (CORS)

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

CORS existe para te proteger, não te machucar!

Content Security Policy (CSP)

content-security-policy: default-src * dados: blob:; script-src * .facebook.com * .fbcdn.net * .facebook.net * .google-analytics.com * .virtualearth.net * .google.com 127.0.0.1:* * .spotilocal.com: * 'inseguro-in-line' 'inseguro-eval' * .atlassolutions.com blob: dados: 'auto'; dados estilo-src: blob: 'inseguro-em linha' *; -src * .facebook.com facebook.com * .fbcdn.net * .facebook.net * .spotilocal.com: * wss: //*.facebook.com: * https://fb.scanandcleanlocal.com:* * .atlassolutions.com attachment.fbsbx.com ws: // localhost: * blob: * .cdninstagram.com 'auto' chrome-extension: // boadgeojelhgndaghljhdicfkmllpafd chrome-extension: // dliochdbjfkdbacpmhlcpmleaejidimm;
content-security-policy:
default-src * data: blob :;
script-src * .facebook.com * .fbcdn.net * .facebook.net * .google-analytics.com * .virtualearth.net * .google.com 127.0.0.1:* * .spotilocal.com: * 'inseguro inline '' inseguro-eval '* .atlassolutions.com blob: data:' self ';
dados style-src : blob: 'unsafe-inline' *;
conecte-src * .facebook.com facebook.com * .fbcdn.net * .facebook.net * .spotilocal.com: * wss: //*.facebook.com: * https://fb.scanandcleanlocal.com:* * .atlassolutions.com attachment.fbsbx.com ws: // localhost: * blob: * .cdninstagram.com 'auto' chrome-extension: // boadgeojelhgndaghljhdicfkmllpafd chrome-extension: // dliochdbjfkdbacpmhlcpmleaejidimm;

HTTPS ou HTTP

HTTP Strict-Transport-Security (HSTS)

strict-transport-security: max-age=15552000; preload

Finalizando

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store