Pages is scanned for security vulnerabilities regularly. You may think because all the content is static that you don't need to think about vulnerabilities but that's not quite true. Below are some very common issues that crop up during scans that I sometimes have to contact repo owners about fixing, which is currently a very manual, labor-intensive process of decoding the scan results, figuring out who to talk to about them, and reducing them to a simple list of problems and suggested solutions. My hope is that the scan results might be able to be provided per-repo in which can I can just pass them along to the repo owners as-is, but we're not there yet.

Poorly coded javascript can still be used for Cross-site-scripting and reflection- types of attacks, if the attacker is able to get your javascript code to output unsanitized input. For example if they can type an HTML script tag with some javascript into an input field in your web app and your app turns around and adds that input field's value to the HTML content of the page, the attacker can then cause the user's browser to do all kinds of things you don't want.

Note that input could be in input tags, or also as the form of query strings provided via the URL accessing the page. Even if code you wrote does not parse that query string, maybe one of the javascript module dependencies you use does.

Therefore, the next item is important too:

Vulnerabilities are found all the time in javascript modules. If you use any dependencies in your site content then please establish a process for making sure they get updated regularly.

Current guidance is to avoid use of target="_blank" in your link tags, OR to take the following additional steps:

• If the link points to URLs within the same web application, no further action is needed.
• If the link points to other nist.gov or other .gov websites, add the rel="noopener" parameter to the tag.
• For any other link, add the rel="noopener noreferrer" parameter to the tag.

Besides just making the site look unprofessional, broken links that point to foreign domains present an opportunity for someone with access to that domain to create a malicious component for your page to load.