Security

Introduction

All front-end developers must be familiar with the OWASP Top 10 and also the techniques described for:

• HTML5
• AJAX

Some specific topics to consider are:

---

PII Data

To prevent data leakage, ensure no PII data is placed in unencrypted form in any:

• Page URLs
• Page Titles
• Other page meta data (description, social sharing attributes etc.)
• Cookies or local storage

PII includes policy numbers, addresses, full name, date of birth - anything that could identify an individual.

Any input field for PII data must have the autocomplete="off" attribute set.

---

Opening new windows

In general no links should open in a new window, however where this is necessary (as specified in our accessibility standards) ensure the correct security mitigations are followed.

---

iframes

As specified in our development standards avoid the use of iframes wherever possible. Where they are absolutely necessary sandbox them.