All front-end developers must be familiar with the OWASP Top 10 and also the techniques described for:

Some specific topics to consider are:

PII Data

To prevent data leakage, ensure no PII data is placed in unencrypted form in any:

  • Page URLs
  • Page Titles
  • Other page meta data (description, social sharing attributes etc.)
  • Cookies or local storage

PII includes policy numbers, addresses, full name, date of birth - anything that could identify an individual.

Any input field for PII data must have the autocomplete="off" attribute set.

Opening new windows

In general no links should open in a new window, however where this is necessary (as specified in our accessibility standards) ensure the correct security mitigations are followed.


As specified in our development standards avoid the use of iframes wherever possible. Where they are absolutely necessary sandbox them.