Sovereign Tech Fund invests in Web Security and Privacy docs
We're proud to share that we're commissioned by the Sovereign Tech Fund to work on expanding developer documentation with security and privacy guidance. Over the coming year, Open Web Docs will be working on creating and updating Security and Privacy documentation for web developers on MDN content.
Security and privacy documentation are key parts of Open Web Docs' core values and we believe the maintenance of these docs is critical digital infrastructure that benefits everyone.
In 2023, we handed in a position paper at the Secure the Web Forward workshop where we presented initial research showing the need for better Security documentation.
In 2024, we joined the newly created W3C Security Web Application Guidelines Community Group (SWAG CG) and since had fruitful conversations on a weekly basis, as well as at W3C TPAC 2024.
In early 2025, we presented a content outline and project pitch to the Sovereign Tech Agency and we're now proud to share that we've been awarded an investment from the Sovereign Tech Fund to work on this topic over the coming year.
The commissioned work contains the following high-level goals:
Defending against attacks
We will be developing a series of guides about common attacks on websites, explaining for each attack: how it works, the impact, and how to defend against it.
We've already started work on this objective in September and you can now find new articles on the most common attacks on MDN Web Docs: https://developer.mozilla.org/docs/Web/Security/Attacks
Threat Modelling for Web Developers
We will be developing a guide that provides recommendations for the specific threats that a website might face based on the features a site implements (such as authentication of users or rendering of user-submitted content).
W3C SWAG CG and Web Security Guidelines
We will continue to be active in the SWAG CG on a weekly basis and at TPAC 2025. We will also continue leading the CG's security guidelines community discussions and determine the most appropriate canonical home for the W3C SWAG Web Security Guidelines document.
Authentication on the Web
Authentication is a large topic with many new options and evolving web standards, such as WebAuthn and passkeys. We will develop a series of guides for web developers to implement authentication techniques, such as passwords, one-time passwords, federated identity, and web authentication.
Security Practices
We will develop a series of guides on security practices, including session management, handling third-party software, user input validation, and operational security.
Privacy Documentation
We're planning to improve MDN's documentation on privacy, by increasing documentation beyond browser-specific features. This work will include:
- Research and document privacy technologies that are available to web developers but currently not well known or understood by practitioners.
- Work with experts to research, develop and validate a content outline.
- Perform initial analysis of the proposed documentation scope, including research into the privacy needs of the developer community and a review of existing documentation.
- Validate the resulting scope with privacy experts.
- Develop concrete practical guidance to help web developers protect their users.
User interviews and survey
To make sure the guidance and documentation we're creating is useful, we need to understand our audience as best as possible. To achieve this, we plan to:
- Develop and run a survey aimed at learning about web developers' security awareness (following up on the 2023 survey from the Secure the Web Forward workshop).
- Conduct user interviews to get qualitative feedback on the helpfulness of security and privacy documentation written in this effort.
- Analyze survey results and user interviews and create a report.
Thank you!
We're looking forward to sharing our progress on all of these objectives over the coming months. Many thanks to the Sovereign Tech Agency for investing in Open Web Docs!