These pages describe web platform features that provide defenses against one or more security attacks.

As a rule, there's a many-to-many relationship between attacks and defenses. In each of ourattacks guides we describe the specific defenses against that attack. In the defenses pages listed below, we provide a broader overview of these defenses and how they work.

Certificate transparency

Provides a publicly visible log of issuedTLS certificates, making it easier to detect those which were malicious or incorrectly issued.

Mixed content blocking

Prevents a document that was delivered over HTTPS from loading subresources (such as scripts, images, or fonts) over HTTP.

Same-origin policy

Restricts the ways in which content loaded from oneorigin can access content loaded from a different origin. It controls the extent to which websites can access each other's state.

Secure contexts

A secure context is aWindow orWorker for which certain standards of authentication and confidentiality are met. This usually means that it was delivered overHTTPS. Code running in a secure context is able to use powerful web APIs that are not made available in insecure contexts.

Subresource integrity

Enables a website to verify that scripts and stylesheets loaded from an external source (such as aCDN) have the expected content, and have not been modified.

Transport Layer Security (TLS)

Enables a client to communicate securely with a server across an untrusted network. Most notably, on the web, it's used to secure HTTP connections: the resulting protocol is calledHTTPS. HTTPS is the only real defense againstManipulator in the Middle (MITM) attacks.

User activation

To protect the user from potentially malicious websites, certain powerful APIs can only be used when the user meaning the user is currently interacting with the web page, or has interacted with the page at least once since it loaded.