Web Security

Privacy and security – integral to human rights and civil liberties – have long been important in the Web Consortium's agenda. For example, our work has been instrumental in improving Web security through the development of authentication technologies that can replace weak passwords and help mitigate threats from phishing and similar attacks.

However, users rightly fear the misuse of their personal data and being tracked online, including browser fingerprinting, the spread of disinformation, and other online harms. These are difficult and urgent challenges. We have begun discussions about how to help users find trustworthy content on the Web without increasing censorship.

How W3C approaches Security

  1. Develop security technology standards
  2. Review the security of web standards
  3. Guide Web Developers to design and develop in a secure manner

Developing security standards

We have several groups that develop security standards.

Threat modeling

The Threat Modeling Community Group provides a venue for Security, Privacy, and Human Rights experts, along with technology domain experts, to create Threat Models, which are living documents that identify cross-areas threats and mitigations and provide information on residual risks.

Web Application Security

The Web Application Security Working Group develops security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.

Web Authentication

The Web Authentication Working Group defined a client-side API providing strong authentication functionality to Web Applications.

Federated Identity

The Federated Identity Working Group supports authentication and authorization flows without compromising security and privacy principles.

Web Payment Security

The Web Payment Security Interest Group enhances the security and interoperability of various Web payments technologies.

Reviewing the security of web standards

Security reviews are done by a pool of volunteer reviewers coordinated by the Team. We welcome more people in that pool. Issues raised are tracked using the same tooling used by PING.

We are creating a group to do horizontal security reviews with security researchers and cryptographers.

Security Interest Group (SING)

With a mission to improve Security on the Web by advising groups developing standards on how to avoid and mitigate security issues with their technologies, the group will also suggest changes to existing standards and technologies to improve security.

Guiding Web Developers to design and develop in a secure manner

We created a cross-organization group to guide web developers and ensure a holistic approach to security.

Security Web Application Guidelines

The Security Web Application Guidelines (SWAG) Community Group increases the overall security of web application development, thereby making the web a more secure platform for web users, through the edition of web creators security best practices and providing a platform for stakeholder collaboration (e.g., OpenSSF, OWASP, Open Web Docs, etc.)

Shape the Secure Web as a W3C Member

W3C Members play a significant role in shaping the Web.

Contact W3C to learn more about the benefits of W3C Membership to play a significant role yourself!

In this section