Web Security

Page contents skip to links

Security at W3C

Web Security is a collaborative effort across the Web ecosystem; W3C coordinates some of that work in its Security Activity. Among the work we are doing to help secure Web applications and Web usage:

Web Authentication Working Group

The Web Authentication Working Group develops recommendation-track specifications defining an API, as well as signature and attestation formats which provide an asymmetric cryptography-based foundation for authentication of users to Web Applications. Overall goals include obviating the use of shared secrets, i.e. passwords, as authentication credentials, facilitating multi-factor authentication support as well as hardware-based key storage while respecting the Same Origin Policy.

Web Application Security Working Group

WebAppSec is developing specifications including Content Security Policy (CSP); UI Security; Subresource Integrity, Mixed Content, Secure Contexts, Referrer Policy, Credential Management, Clear Site Data, and more. This work aims to enable secure mash-ups, address click-jacking, and to create a more robust Web security environment through light-weight policy expression and APIs.

Web Payments

Web Payments at W3C.

The Web Payments Interest Group provides a forum for technical discussions to identify use cases and requirements for existing and/or new specifications to ease payments on the Web for users (payers) and merchants (payees), and to establish a common ground for payment service providers on the Web Platform. Security and secure authentication will be critical elements of success. The Web Payments Working Group will build standard APIs enabling users to register payment instruments (such as credit cards or payment services) and select the right payment type through the browser, making payments faster, more secure, and easier, particularly on mobile devices.

Web Cryptography

Web Cryptography Working Group

Motivated by the emergence of more complex protocols executed between Web applications, the Web Cryptography API exposes trusted cryptographic primitives from the browser. API features include message confidentiality and authentication services, as building blocks for improved Web security.

Related Work: Privacy

Privacy at W3C.

The Privacy Interest Group watches for ongoing privacy issues affecting the Web, investigates potential areas for new privacy work, and provides guidelines and advice for addressing privacy in standards development.

Related Work: Technical Architecture Group (TAG)

The TAG is responsible for the security, sanity, and layering of the overall web platform.

Community Group: Hardware Based Secure Services

How should the Web interface to hardware-based secure services, and what features can be provided by hardware tokens, TEEs, TPMs, in areas of identification, cryptography, and payments? The Hardware Based Secure Services CG is starting work on draft APIs for Transaction Confirmation and Secure Credential Storage.

XML Security

XMLSec produced three W3C Recommendations: a stable interim set of 1.1 specifications. The XML Signature 1.1 and XML Encryption 1.1 specifications clarify and enhance the previous specifications without introducing breaking changes. XML Signature Properties outlines the syntax and processing rules and an associated namespace for properties to be used in XML Signatures.

Shape the Secure Web as a W3C Member

W3C Members play a significant role in shaping the Web.

Contact W3C to learn more about the benefits of W3C Membership.

Active Groups

  • Web Authentication Working Group

    The mission of the Web Authentication Working Group is to define a client-side API providing strong authentication functionality to Web Applications.

    Join this group

  • Web Application Security Working Group

    The mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.

    Join this group

  • Web Payments Working Group

    The mission of the Web Payments Working Group is to make payments easier and more secure on the Web, by streamlining checkout.

    Join this group

  • Web Payments Interest Group

    The mission of the Web Payments Interest Group is to provide a forum for Web Payments technical discussions to identify use cases and requirements for existing and/or new specifications to ease payments on the Web for users (payers) and merchants (payees), and to establish a common ground for payment service providers on the Web Platform.

    Join this group

Events

Upcoming events

Past related events

W3C Team, Security and Privacy

Wendy Seltzer, Strategy Lead (email)
Samuel Weiler, Privacy and Security Strategist