Security News > 2020 > July > Major websites plagued by lack of effective security against JavaScript vulnerabilities
A report released Tuesday by security provider Tala Security maintains that most major websites are ill-equipped to combat the flaws in JavaScript, thus putting their customer and user data at risk.
For its "2020 Global Data at Risk State of the Web Report," Tala analyzed the security defenses of the top 1,000 websites as ranked by Alexa.
Citing a "Troubling lack of security controls required to prevent data theft," the report said that these sites are vulnerable to client-side attacks that exploit JavaScript vulnerabilities, including Magecart, formjacking, cross-site scripting, and credit card skimming.
How can websites better guard against data theft and leakage due to JavaScript vulnerabilities? Tala recommends that site developers implement such controls as Content Security Policy, Subresource Integrity, and HTTP Strict Transport Security, all of which can mitigate against JavaScript-based client-side attacks.
"Applied and managed correctly, these security standards, including Content Security Policy, Subresource Integrity, and others will mitigate client-side risk, including zero-day threats, offering a future-proof solution with no impact to website performance or user experience. Leveraging tools that complement these capabilities by monitoring and preventing PII and other data leakage provides a comprehensive defense-in-depth approach."