/en-US/docs/JavaScript/Reference/arrow_functions/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions

/en-US/docs/JavaScript/Reference/default_parameters/en-US/docs/Web/JavaScript/Reference/Functions/Default_parameters

/en-US/docs/JavaScript/Reference/rest_parameters/en-US/docs/Web/JavaScript/Reference/Functions/rest_parameters

/en-US/docs/JavaScript/Same_origin_policy_for_JavaScript/en-US/docs/Web/Security/Same-origin_policy

/en-US/docs/JavaScript/Same_origin_policy_for_JavaScript/en-US/docs/Web/Security/Defenses/Same-origin_policy

/en-US/docs/JavaScript/Shells/en-US/docs/Web/JavaScript/Reference/JavaScript_technologies_overview

/en-US/docs/JavaScript/Strict_mode/en-US/docs/Web/JavaScript/Reference/Strict_mode

/en-US/docs/JavaScript/Typed_arrays/en-US/docs/Web/JavaScript/Guide/Typed_arrays

/en-US/docs/SVG_Tutorial/en-US/docs/Web/SVG/Tutorials/SVG_from_scratch

/en-US/docs/SVG_animation_(SMIL)_in_Firefox/en-US/docs/Web/SVG/Guides/SVG_animation_with_SMIL

/en-US/docs/SVG_improvements_in_Firefox_3/en-US/docs/Mozilla/Firefox/Releases/3/SVG_improvements

/en-US/docs/Same_origin_policy_for_JavaScript/en-US/docs/Web/Security/Same-origin_policy

/en-US/docs/Same_origin_policy_for_JavaScript/en-US/docs/Web/Security/Defenses/Same-origin_policy

/en-US/docs/Sample_.htaccess_file/en-US/docs/Learn_web_development/Extensions/Server-side/Apache_Configuration_htaccess

/en-US/docs/Scripting_plugins/en-US/docs/Glossary/Plugin

/en-US/docs/Security/CSP/en-US/docs/Web/HTTP/Guides/CSP

/en-US/docs/Security/HTTP_Strict_Transport_Security/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security

/en-US/docs/Security/InsecurePasswords/en-US/docs/Web/Security/Authentication/Passwords

/en-US/docs/Security/Insecure_passwords/en-US/docs/Web/Security/Authentication/Passwords

/en-US/docs/Security/MixedContent/en-US/docs/Web/Security/Mixed_content

/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content/en-US/docs/Web/Security/Mixed_content#developer_console

/en-US/docs/Security/MixedContent/fix_website_with_mixed_content/en-US/docs/Web/Security/Mixed_content#developer_console

/en-US/docs/Security/Mixed_content/en-US/docs/Web/Security/Mixed_content

/en-US/docs/Security/Mixed_content/How_to_fix_website_with_mixed_content/en-US/docs/Web/Security/Mixed_content#developer_console

/en-US/docs/Security/MixedContent/en-US/docs/Web/Security/Defenses/Mixed_content

/en-US/docs/Security/MixedContent/How_to_fix_website_with_mixed_content/en-US/docs/Web/Security/Defenses/Mixed_content#developer_console

/en-US/docs/Security/MixedContent/fix_website_with_mixed_content/en-US/docs/Web/Security/Defenses/Mixed_content#developer_console

/en-US/docs/Security/Mixed_content/en-US/docs/Web/Security/Defenses/Mixed_content

/en-US/docs/Security/Mixed_content/How_to_fix_website_with_mixed_content/en-US/docs/Web/Security/Defenses/Mixed_content#developer_console

/en-US/docs/Security/Securing_your_site/en-US/docs/Web/Security/Practical_implementation_guides

/en-US/docs/Security/Weak_Signature_Algorithm/en-US/docs/Glossary/Hash_function

/en-US/docs/Security_changes_in_Firefox_3.1/en-US/docs/Mozilla/Firefox/Releases/3.5/Security_changes

/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/en-US/docs/Web/HTTP/Guides/Proxy_servers_and_tunneling

/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_(PAC)_file/en-US/docs/Web/HTTP/Guides/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file

/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file/en-US/docs/Web/HTTP/Guides/Proxy_servers_and_tunneling/Proxy_Auto-Configuration_PAC_file

/en-US/docs/Web/HTTP/Public_Key_Pinning/en-US/docs/Web/Security/Certificate_Transparency

/en-US/docs/Web/HTTP/Public_Key_Pinning/en-US/docs/Web/Security/Defenses/Certificate_Transparency

/en-US/docs/Web/HTTP/Range_requests/en-US/docs/Web/HTTP/Guides/Range_requests

/en-US/docs/Web/HTTP/Redirections/en-US/docs/Web/HTTP/Guides/Redirections

/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy/document-domain/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy

/en-US/docs/Web/JavaScript/Reference/eval/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

/en-US/docs/Web/JavaScript/Reference/rest_parameters/en-US/docs/Web/JavaScript/Reference/Functions/rest_parameters

/en-US/docs/Web/JavaScript/Reference/template_strings/en-US/docs/Web/JavaScript/Reference/Template_literals

/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript/en-US/docs/Web/Security/Same-origin_policy

/en-US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript/en-US/docs/Web/Security/Defenses/Same-origin_policy

/en-US/docs/Web/JavaScript/Shells/en-US/docs/Web/JavaScript/Reference/JavaScript_technologies_overview

/en-US/docs/Web/JavaScript/The_performance_hazards_of__[[Prototype]]_mutation/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/setPrototypeOf

/en-US/docs/Web/JavaScript/The_performance_hazards_of_prototype_mutation/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/setPrototypeOf

/en-US/docs/Web/Security/CSP/Using_CSP_reports/en-US/docs/Web/HTTP/Guides/CSP

/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports/en-US/docs/Web/HTTP/Guides/CSP

/en-US/docs/Web/Security/CSP/Using_Content_Security_Policy/en-US/docs/Web/HTTP/Guides/CSP

/en-US/docs/Web/Security/Certificate_Transparency/en-US/docs/Web/Security/Defenses/Certificate_Transparency

/en-US/docs/Web/Security/Do_not_track_field_guide/en-US/docs/Web/HTTP/Reference/Headers/DNT

/en-US/docs/Web/Security/Do_not_track_field_guide/Additional_resources/en-US/docs/Web/HTTP/Reference/Headers/DNT

/en-US/docs/Web/Security/Do_not_track_field_guide/Case_studies/en-US/docs/Web/HTTP/Reference/Headers/DNT

/en-US/docs/Web/Security/Do_not_track_field_guide/Tutorials/Additional_resources/en-US/docs/Web/HTTP/Reference/Headers/DNT

/en-US/docs/Web/Security/HTTP_strict_transport_security/en-US/docs/Web/HTTP/Reference/Headers/Strict-Transport-Security

/en-US/docs/Web/Security/Insecure_passwords/en-US/docs/Web/Security/Authentication/Passwords

/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content/en-US/docs/Web/Security/Mixed_content#developer_console

/en-US/docs/Web/Security/Mixed_content/en-US/docs/Web/Security/Defenses/Mixed_content

/en-US/docs/Web/Security/Mixed_content/How_to_fix_website_with_mixed_content/en-US/docs/Web/Security/Defenses/Mixed_content#developer_console

/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention/en-US/docs/Web/Security/Attacks/CSRF

/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking/en-US/docs/Web/Security/Attacks/Clickjacking

/en-US/docs/Web/Security/Public_Key_Pinning/en-US/docs/Web/Security/Certificate_Transparency

/en-US/docs/Web/Security/Public_Key_Pinning/en-US/docs/Web/Security/Defenses/Certificate_Transparency

/en-US/docs/Web/Security/Same-origin_policy/en-US/docs/Web/Security/Defenses/Same-origin_policy

/en-US/docs/Web/Security/Secure_Contexts/en-US/docs/Web/Security/Defenses/Secure_Contexts

/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts/en-US/docs/Web/Security/Defenses/Secure_Contexts/features_restricted_to_secure_contexts

/en-US/docs/Web/Security/Securing_your_site/en-US/docs/Web/Security/Practical_implementation_guides

/en-US/docs/Web/Security/Securing_your_site/Configuring_server_MIME_types/en-US/docs/Learn_web_development/Extensions/Server-side/Configuring_server_MIME_types

/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion/en-US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion

/en-US/docs/Web/Security/Subdomain_takeovers/en-US/docs/Web/Security/Attacks/Subdomain_takeover

/en-US/docs/Web/Security/Subresource_Integrity/en-US/docs/Web/Security/Defenses/Subresource_Integrity

/en-US/docs/Web/Security/Transport_Layer_Security/en-US/docs/Web/Security/Defenses/Transport_Layer_Security

/en-US/docs/Web/Security/Types_of_attacks/en-US/docs/Web/Security/Attacks

/en-US/docs/Web/Security/User_activation/en-US/docs/Web/Security/Defenses/User_activation

/en-US/docs/Web/Security/Weak_Signature_Algorithm/en-US/docs/Glossary/Hash_function

/en-US/docs/Web/Text_fragments/en-US/docs/Web/URI/Reference/Fragment/Text_fragments

/en-US/docs/Web/Tutorials/en-US/docs/MDN/Tutorials

"modified": "2020-08-25T23:27:57.222Z",

"contributors": ["jswisher"]

},

"Web/Security/Certificate_Transparency": {

"Web/Security/Defenses/Certificate_Transparency": {

"modified": "2020-11-12T17:20:50.893Z",

"contributors": ["secdev-01", "Felicia.Ann.Kelley", "lol768"]

},

"Web/Security/Firefox_Security_Guidelines": {

"modified": "2020-11-19T10:50:23.486Z",

"contributors": [

"chrisdavidmills",

"jamoozy",

"c2the3rd",

"JulianNeal",

"psiinon"

]

},

"Web/Security/Mixed_content": {

"Web/Security/Defenses/Mixed_content": {

"modified": "2020-11-23T00:24:41.415Z",

"contributors": [

"hamishwillee",

"evilpie"

]

},

"Web/Security/Practical_implementation": {

"modified": "2020-06-03T13:43:23.202Z",

"contributors": [

"jswisher",

"mfuji09",

"germain",

"sideshowbarker",

"patizenyapetshop",

"larsonreever",

"SebastienParis",

"tlubitz",

"david_ross",

"mbm",

"chrisdavidmills",

"JazibZaman",

"hashedhyphen",

"marumari",

"evilpie",

"Sheppy",

"teoli"

]

},

"Web/Security/Practical_implementation/Turning_off_form_autocompletion": {

"modified": "2020-07-10T21:28:54.938Z",

"contributors": [

"patrickhlauke",

"mfuji09",

"mnoorenberghe",

"leela52452",

"jswisher",

"sruthiveeragandham",

"Nomeh_Uchenna_Gabriel",

"mfluehr",

"WilliamC07",

"hjuhlin",

"chrisdavidmills",

"LouisLazaris",

"devinea2",

"steduardo",

"terrylinooo",

"kbagot",

"stutrek",

"Didglee",

"rottina",

"Delapouite",

"wbamberg",

"John99",

"Manishearth",

"Sheppy",

"ConcreteGannet",

"teoli",

"contrebis",

"dhodder",

"David-Sarah Hopwood",

"George3",

"LonelyPixel",

"Brianegge",

"NickolayBot",

"Andreas Wuest",

"Brycenesbitt",

"Callek",

"VicMan",

"Pmsyyz",

"Mathieu Deaudelin"

]

},

"Web/Security/Referer_header:_privacy_and_security_concerns": {

"modified": "2020-07-22T14:05:46.803Z",

"contributors": [

"mfuji09",

"bradyhanna",

"chrisdavidmills",

"..",

"vriojtg",

"cg",

"wbamberg"

]

},

"Web/Security/Same-origin_policy": {

"Web/Security/Defenses/Same-origin_policy": {

"modified": "2020-11-09T22:18:21.002Z",

"contributors": [

"hamishwillee",

"Potappo"

]

},

"Web/Security/Secure_Contexts": {

"Web/Security/Defenses/Secure_Contexts": {

"modified": "2020-11-17T02:41:03.636Z",

"contributors": [

"hamishwillee",

"PushpitaPikuDey"

]

},

"Web/Security/Secure_Contexts/features_restricted_to_secure_contexts": {

"Web/Security/Defenses/Secure_Contexts/features_restricted_to_secure_contexts": {

"modified": "2020-11-29T21:11:04.703Z",

"contributors": [

"hamishwillee",

"Annevk"

]

},

"Web/Security/Subresource_Integrity": {

"Web/Security/Defenses/Subresource_Integrity": {

"modified": "2020-10-15T21:38:19.213Z",

"contributors": [

"freddyb",

"wbamberg"

]

},

"Web/Security/Transport_Layer_Security": {

"Web/Security/Defenses/Transport_Layer_Security": {

"modified": "2020-02-22T05:07:20.975Z",

"contributors": [

"mfuji09",

"adithya_mani"

]

},

"Web/Security/Firefox_Security_Guidelines": {

"modified": "2020-11-19T10:50:23.486Z",

"contributors": [

"chrisdavidmills",

"jamoozy",

"c2the3rd",

"JulianNeal",

"psiinon"

]

},

"Web/Security/Practical_implementation": {

"modified": "2020-06-03T13:43:23.202Z",

"contributors": [

"jswisher",

"mfuji09",

"germain",

"sideshowbarker",

"patizenyapetshop",

"larsonreever",

"SebastienParis",

"tlubitz",

"david_ross",

"mbm",

"chrisdavidmills",

"JazibZaman",

"hashedhyphen",

"marumari",

"evilpie",

"Sheppy",

"teoli"

]

},

"Web/Security/Practical_implementation/Turning_off_form_autocompletion": {

"modified": "2020-07-10T21:28:54.938Z",

"contributors": [

"patrickhlauke",

"mfuji09",

"mnoorenberghe",

"leela52452",

"jswisher",

"sruthiveeragandham",

"Nomeh_Uchenna_Gabriel",

"mfluehr",

"WilliamC07",

"hjuhlin",

"chrisdavidmills",

"LouisLazaris",

"devinea2",

"steduardo",

"terrylinooo",

"kbagot",

"stutrek",

"Didglee",

"rottina",

"Delapouite",

"wbamberg",

"John99",

"Manishearth",

"Sheppy",

"ConcreteGannet",

"teoli",

"contrebis",

"dhodder",

"David-Sarah Hopwood",

"George3",

"LonelyPixel",

"Brianegge",

"NickolayBot",

"Andreas Wuest",

"Brycenesbitt",

"Callek",

"VicMan",

"Pmsyyz",

"Mathieu Deaudelin"

]

},

"Web/Security/Referer_header:_privacy_and_security_concerns": {

"modified": "2020-07-22T14:05:46.803Z",

"contributors": [

"mfuji09",

"bradyhanna",

"chrisdavidmills",

"..",

"vriojtg",

"cg",

"wbamberg"

]

},

"Web/URI": {

"modified": "2020-11-16T01:23:20.622Z",

"contributors": [

title:Certificate Transparency

slug:Web/Security/Certificate_Transparency

slug:Web/Security/Defenses/Certificate_Transparency

page-type:guide

sidebar:security

title:Defenses

slug:Web/Security/Defenses

page-type:guide

sidebar:security

These pages describe web platform features that provide defenses against one or more security attacks.

As a rule, there's a many-to-many relationship between attacks and defenses. In each of our[attacks guides](/en-US/docs/Web/Security/Attacks) we describe the specific defenses against that attack. In the defenses pages listed below, we provide a broader overview of these defenses and how they work.

-[Certificate transparency](/en-US/docs/Web/Security/Defenses/Mixed_content)

- : Provides a publicly visible log of issued {{glossary("TLS")}} certificates, making it easier to detect those which were malicious or incorrectly issued.

-[Mixed content blocking](/en-US/docs/Web/Security/Defenses/Mixed_content)

- : Prevents a document that was delivered over HTTPS from loading subresources (such as scripts, images, or fonts) over HTTP.

-[Same-origin policy](/en-US/docs/Web/Security/Defenses/Same-origin_policy)

- : Restricts the ways in which content loaded from one {{glossary("origin")}} can access content loaded from a different origin. It controls the extent to which websites can access each other's state.

-[Secure contexts](/en-US/docs/Web/Security/Defenses/Secure_Contexts)

- : A secure context is a`Window` or`Worker` for which certain standards of authentication and confidentiality are met. This usually means that it was delivered over {{glossary("HTTPS")}}. Code running in a secure context is able to use powerful web APIs that are not made available in insecure contexts.

-[Subresource integrity](/en-US/docs/Web/Security/Defenses/Subresource_Integrity)

- : Enables a website to verify that scripts and stylesheets loaded from an external source (such as a {{glossary("CDN")}}) have the expected content, and have not been modified.

-[Transport Layer Security (TLS)](/en-US/docs/Web/Security/Defenses/Transport_Layer_Security)

- : Enables a client to communicate securely with a server across an untrusted network. Most notably, on the web, it's used to secure HTTP connections: the resulting protocol is called {{glossary("HTTPS")}}. HTTPS is the only real defense against[Manipulator in the Middle (MITM)](/en-US/docs/Web/Security/Attacks/MITM) attacks.

-[User activation](/en-US/docs/Web/Security/Defenses/User_activation)

- : To protect the user from potentially malicious websites, certain powerful APIs can only be used when the user meaning the user is currently interacting with the web page, or has interacted with the page at least once since it loaded.

title:Mixed content

slug:Web/Security/Mixed_content

slug:Web/Security/Defenses/Mixed_content

page-type:guide

browser-compat:http.mixed-content

sidebar:security

title:Same-origin policy

slug:Web/Security/Same-origin_policy

slug:Web/Security/Defenses/Same-origin_policy

page-type:guide

sidebar:security

title:Features restricted to secure contexts

short-title:Restricted features

slug:Web/Security/Secure_Contexts/features_restricted_to_secure_contexts

slug:Web/Security/Defenses/Secure_Contexts/features_restricted_to_secure_contexts

page-type:guide

sidebar:security

title:Secure contexts

slug:Web/Security/Secure_Contexts

slug:Web/Security/Defenses/Secure_Contexts

page-type:guide

spec-urls:https://w3c.github.io/webappsec-secure-contexts/

sidebar:security