Our regular readers already know that HTTPS is now a requirement for any websites. The urge to get rid of unsecured navigation has never been stronger: each release of Google Chrome or Mozilla Firefox comes with a new warning sign for users sharing private data. Soon, all forms will be concerned.

But offering an HTTPS version of your website is not enough to automatically redirect all your HTTP traffic to this secured version. Continue reading Ensure secured connections with HSTS (HTTP Strict Transport Security) →

After reading our last article about how to secure your cookies, you may (should?) already be using Secure and HttpOnly flags. As a reminder, ‘Secure’ allows to prevent a cookie to be sent on a non-secure web page, whereas ‘HttpOnly’ prevents any client-side usage of a given cookie.
It is now time to take your website security to the next level with one more attribute for your cookies! Let’s talk about SameSite instruction, allowing to prevent Cross-Site Request Forgery (CSRF) attacks and Cross-Site Script Inclusion (XSSI). Continue reading Secure your cookies to the next level with SameSite attribute →

About one year ago, we were announcing an update of the quality checkpoints of our website analysis service. This update was including a new best practice related to hypertext links opening in a new window or tab by using target="_blank" attribute.
Joining Google Chrome, the latest Firefox version now supports the rel="noopener" attribute, which was one of our advised solutions. The right time for us to have a look back on this recommendation we have brought not only for better security but also for web performance. Continue reading Performance and security of target=_blank links with rel=noopener →

Third-party content are parasites. Friendly ones, with – most of the time – good intentions. But parasites anyway. Let’s discover some useful tips and techniques to deal with Third Party Content and their impacts regarding your website performance and security.

Continue reading Web Performance & Security: how to master Third Party Content impacts →

Your website seems fast enough to you? Are sure that your visitors share the same opinion? Through that question, we intend to talk about the huge differences of web connections among your users… and about the effects about how they will experience your website performance. Continue reading Website Speed: test it like your users browse it →

We have announced it a couple months ago: our web performance testing tool now fully supports HTTP/2 and our best practices repository has been updated to handle the particularities of this new protocol. Now, let’s go back to the reasons of HTTP/2 emergence and talk about the major changes this protocol brings, and these old HTTP/1 best practices that we will have to give up! Continue reading On the way to HTTP/2: what to expect for front-end development? →

Web performance testing tools such as Google Page Speed or Dareboost have been advising this for a while: injecting a script with document.write has a significant impact on website loading time. Let’s talk about this topic one more time, as the next Chrome update (version 54) won’t allow such scripts injections any longer. What kind of issues may you experience? What are the alternatives?

Continue reading Why you should avoid using document.write, specifically for scripts injection →

Now that we have seen how CSP can be useful in preventing injections of content within your web pages, let’s have a look on some technical elements about CSP implementation, and a few ideas about the methodology to adopt. Continue reading How to implement Content Security Policy? →

Thanks to Content Security Policy, you can protect your website from numerous vulnerabilities concerning content injection. Let’s see why and how to use that simple but powerful HTTP header, now widely supported by web browsers.
Continue reading Content Security Policy to secure your website (and more) →