Web Security docs on MDN
Back in September 2025, we announced that the Sovereign Tech Agency had provided funding to enable Open Web Docs to create developer documentation on web security and privacy. This month we've completed the biggest section of the project: to update the web security documentation on MDN. In this post we'll have a look at what we've added, and what's coming up next.
The docs we've written for MDN consist of four main pillars: Attacks, Defenses, Threat modeling, and Authentication.
Attacks
Under Attacks, we have a separate article for each type of attack:
In each article, we describe the conditions in which a website is vulnerable to the attack, outline possible defenses and recommend which defenses a developer should adopt. We've tried to make these guides highly accessible and very practical.
Defenses
Under Defenses, we describe web platform features or developer practices that can be used to defend against attacks.
There's typically a many-to-many relationship between attack and defenses. That is, a single defense can protect against multiple attacks, and defending against a single attack may require multiple defenses, so as to provide defense in depth.
Some of these guides existed already, but we've added new ones and made extensive updates to many of the existing ones.
Threat modeling
Threat modeling is the art of understanding which possible threats a system faces, so a developer can understand which corresponding defenses they need to deploy.
As in our other work, we've focused on writing accessible and actionable guides, with practical examples walking through sample web applications.
Authentication
Finally, we have a section dedicated to authentication, which is centred on a series of guides to four common authentication methods:
We describe how each method works, which attacks each method is vulnerable to, and good practices to follow to minimize the risks.
We've also added a guide to session management:
What's next
The remainder of this project is dedicated to updating and extending the docs on web privacy. This will be less extensive than the security docs, but we are hoping to cover:
- An explanation of what privacy on the web means, and why it matters.
- Guidelines for how a website should request and handle user data.
- Discussion of tracking, especially around cookies. We will cover the ways browsers restrict third-party and tracking cookies, and the use of partitioned cookies to enable legitimate uses for third-party cookies, without enabling tracking.
- Descriptions of regulatory requirements around privacy, including the GDPR and the California CCPA.
Thanks!
Thanks first and foremost to the Sovereign Tech Agency for funding this project. Having a reliable source of funding is essential to secure the resources needed for a sustained project like this.
Thanks also to:
- Dan Appelquist, for starting and chairing the Security Web Application Guidelines Community Group (SWAG CG), giving us a home where we could plan this work and connect with technical experts.
- Our expert reviewers and collaborators, including Aaron Shim, Freddy Braun, and Simone Onofri, for helping us to understand and document many web security topics, including CSP, XSS, trusted types, cross-site leaks, Fetch metadata, and threat modeling.
- Hamish Willee, for reviewing so many security docs PRs, and always giving us thoughtful feedback.