Security
Introduction
All front-end developers must be familiar with the OWASP Top 10 and also the techniques described for:
Some specific topics to consider are:
PII Data
To prevent data leakage, ensure no PII data is placed in unencrypted form in any:
- Page URLs
- Page Titles
- Other page meta data (description, social sharing attributes etc.)
- Cookies or local storage
PII includes policy numbers, addresses, full name, date of birth - anything that could identify an individual.
Any input field for PII data must have the autocomplete="off"
attribute set.
Opening new windows
In general no links should open in a new window, however where this is necessary (as specified in our accessibility standards) ensure the correct security mitigations are followed.
iframes
As specified in our development standards avoid the use of iframes wherever possible. Where they are absolutely necessary sandbox them.