HTML - Security (Secure applications)

About

This article is about security when writing an application that shows HTML pages.

Because HTML and HTTP are heavily intermixed, this page has also some content of the HTTP security page.

HTML is a programming language that can download and run script.

Therefore, you should be extremely careful with user-input or HTML content created by your users.

If you:

accept HTML, you might want to look into using Iframe with sandbox, but security is hard, and that doesn’t seem to be 100%.
don't accept HTML, you need to sanitize it by:
- escaping all HTML tag
- or deleting script, iframe or style tag that are basic tag used in a attack

Add a CSRF token for all forms post request
Add a CSP to define the resources that you accepts
Add HSTS (HTTPS as mandatory).
Add a X-Frame-Options HTTP response header to indicate that a browser should not be allowed to render a page in a frame, iframe, embed or object. More see Web Security - Clickjacking due to opening the style tag