No mention of Security about front-end-checklist HOT 10 CLOSED

Brilliant! For reference, my little nonfunctional.md file contains the following points for security:

• HSTS ✅
• CSRF ✅
• CORS ✅
• XSS protection ✅
• Content Security Policy
• SRI hashes where possible

You've got stuff I'm missing (like X-Frame-Options), so I'll quietly copy/paste those in :). SRI and Content Security Policy are both probably worth a mention :) -- CSP is probably a "high" and SRI is probably a "low".

Possibly one of the cheat sheets for XSS and similar mentions CSP, but it's worth a top-level mention IMHO.

I should've said in the first comment, but thanks for building this handy little resource. The list of so-called non-functional requirements for a modern webapp is vast (and seemingly grows forever), so it's great to have a good enumeration of them.

from front-end-checklist.

Was going to mention there's room for a security section

from front-end-checklist.

@frio @collinwu indeed, that part is missing. Let me add that section and don't hesitate to comment on that.

from front-end-checklist.

I just add a first draft for the security section, don't hesitate to give me a feedback or make some changes.

from front-end-checklist.

Don't hesitate to propose (in a PR) a change in the priority if you don't agree. Thanks for your support @frio (frio means cold in portuguese :D). Hopefully, that checklist will improve a lot in the next days.

from front-end-checklist.

+1

from front-end-checklist.

@collinwu @frio Some time ago, we added a security section, but since I was exchanging with some developers, and I would have your POV. A Front-End developer is in general not responsible for server-side security rules... If you develop an application with server-side, you may be more a Full-Stack developer than a Front-End Dev... Don't you think?

from front-end-checklist.

Ping @collinwu @frio

from front-end-checklist.

Phew, sorry for the slow reply! Security is a nightmare in our industry; we find new flaws with potentially dangerous implications day in and day out. There are heaps of things that front-end developers should be aware of in the security space :)!

At a minimum, I'd expect a frontend developer to at least be aware of the OWASP Top 10. You're right that they may not need to know how to solve all of those, but I'd expect them to know how to protect against XSS, for instance, or CSRF. There are also nice little tweaks (like SRI hashes) that help to prevent against a compromised CDN or ad from subverting your site.

Basically -- yes, full-stack devs need to know more :). However, I'd argue that front-end devs need to understand the world they deploy into at a minimum, and understand how to address some of the flaws that most impact them.

from front-end-checklist.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you have any question, please contact me directly at [email protected]. Thank you for your contributions to that project!

from front-end-checklist.