- Background:
- Based on Web-Based Self-Custody Wallets Have More Security Risks Than You Might Think (Some Are Unsolvable in the Short Term, I think we need to try to document known security risks and hopefully find ways to mitigate them.
⚠️ Note: This document focuses on security practices specific to the Web-based Self-Custody Wallet and will not cover regular web attacks (but this section is so important that you should not overlook it if you want to learn more).
When I was gathering information on security, I found that owasp.org has a lot of relevant research. I recommend checking it out.
-
‼️ browser extension risk- As of now, apart from advising users to disable browser extensions, there is no effective way to prevent the use of browser extensions!
-
-
Creating object with Object.create(null)
-
var _obj = Object.create(null);
-
-
Freezes an object with Object.freeze()
-
Object.freeze(obj);
-
-
Never use eval()
-
-
‼️ Building Web with LavaMoat
-
Content Security Policy [Level 2] [Level 3]
-
-
Associated risk:
-
The default-src directive serves as a fallback for the other fetch directives
-
suggest:
-
default-src 'self';
-
-
-
-
Associated risk:
-
suggest:
-
connect-src 'self' https://*.someAPI.com;
-
-
-
-
Associated risk:
-
suggest:
-
frame-src 'none';
-
-
-
-
Associated risk:
-
Refer: X-Frame-Options
-
suggest:
-
frame-ancestors 'none'; X-Frame-Options: DENY
-
-
-
-
Associated risk:
-
suggest:
-
img-src 'https://*';
-
-
-
-
Associated risk:
-
suggest:
-
media-src 'https://*';
-
-
-
-
Associated risk:
-
suggest:
-
object-src 'self';
-
-
-
-
Associated risk:
-
suggest:
-
script-src 'self';
-
-
-
-
Associated risk:
-
suggest:
-
worker-src 'self';
-
-
-
-
-
Associated risk:
-
suggest:
-
SameSite=Strict
-
-
-
-
Associated risk:
- Subresource Integrity attack
-
suggest:
-
<script integrity="sha384-xxx"... <link integrity="sha384-xxx"...
-
-
-
postMessage origin
-
Associated risk:
-
suggest:
-
window.addEventListener('message', function(event) { if (event.origin !== 'https://yourWeb.com') { return; } }); otherWindow.postMessage(message, 'https://yourWeb.com');
-
-
-
X-Content-Type-Options
-
Associated risk:
-
suggest:
-
X-Content-Type-Options: nosniff
-
-
-
HTTP Strict Transport Security (HSTS)
-
Associated risk:
-
suggest:
-
Strict-Transport-Security: max-age=86400; includeSubDomains
-
-
- web security
- developer.mozilla.org - Web Security
- cheatsheetseries.owasp.org - AJAX Security Cheat Sheet
- portswigger.net - Prototype Pollution
- medium.com - Creating object with Object.create(null)
- developer.mozilla.org - Object.freeze()
- crowdstrike.com - Software Supply Chain Attacks
- github.com - LavaMoat
- cloudflare.com - DNS over TLS (DoT) or DNS over HTTPS (DoH)
- w3.org - Content Security Policy [Level 2]
- w3.org - Content Security Policy [Level 3]