Understanding Secure Contexts in Web Applications

Secure contexts - Security on the web | MDN 🔗

A secure context is a Window or Worker for which certain minimum standards of authentication and confidentiality are met. Many Web APIs and features are accessible only in a secure context. The primary goal of secure contexts is to prevent MITM attackers from accessing powerful APIs that could further compromise the victim of an attack.

Secure contexts are essential for ensuring the security and privacy of web applications. They refer to windows or workers that meet specific standards for authentication and confidentiality, preventing man-in-the-middle (MITM) attacks from exploiting powerful Web APIs. Certain APIs are restricted to these secure contexts to protect user data and privacy. A context is deemed secure if it is delivered over secure protocols such as HTTPS or WSS, and when it is associated with a top-level browsing context that also meets these standards. Users can check if they are in a secure context using feature detection methods.

Secure contexts protect against powerful APIs being exploited by attackers.
A context is secure if it meets defined authentication and confidentiality standards.
Local resources are considered secure, while external resources must use HTTPS or WSS for security.

What are secure contexts in web applications?

Secure contexts are windows or workers that meet minimum standards of authentication and confidentiality, protecting users from potential attacks.

Why are some APIs restricted to secure contexts?

Certain APIs can compromise user privacy and security, so they are only accessible in secure contexts to prevent unauthorized access.

How can users check if they are in a secure context?

Users can use feature detection methods, such as window.isSecureContext or WorkerGlobalScope.isSecureContext, to determine if their context is secure.