SEC-281: Add suggestions from code review

Farzad Hayatbakhsh · Farzad Hayatbakhsh · commit 88530dcb36bb · 2025-01-09T11:15:17.000+10:00
diff --git a/modules/ROOT/pages/security.adoc b/modules/ROOT/pages/security.adoc
@@ -12,6 +12,7 @@ NOTE: The following is _general_ security advice that may be relevant to a websi
 * xref:what-we-do-to-maintain-security-for-tinymce[What we do to maintain security for TinyMCE]
 ** xref:scripts-and-xss-vulnerabilities[Scripts and XSS vulnerabilities]
 ** xref:keeping-dependencies-up-to-date[Keeping dependencies up-to-date]
+* xref:enforcing-https-with-hsts[Enforcing HTTPS with HSTS]
 * xref:configuring-content-security-policy-csp-for-tinymce[Configuring Content Security Policy (CSP) for TinyMCE]
 * xref:general-security-risks-for-user-input-elements[General security risks for user input elements]
 ** xref:cross-site-scripting-xss[Cross-Site Scripting (XSS)]
@@ -44,6 +45,7 @@ To protect {productname} users, {companyname}:
 
 * Patches Cross-Site Scripting (XSS) vulnerabilities,
 * Keeps {productname} dependencies up to date, and
+* Provides recommendations about enforcing HTTPS with HSTS, and
 * Provides information about how to configure a Content Security Policy that works with {productname}.
 
 [[scripts-and-xss-vulnerabilities]]
@@ -55,8 +57,13 @@ SVGs (Scalable Vector Graphics) are not supported in {productname} to protect ou
 
 From the 1st of January 2020, Security Advisories for patched XSS vulnerabilities will be published on the https://github.com/tinymce/tinymce/security/advisories?state=published[{productname} GitHub repository Security page].
 
+[[keeping-dependencies-up-to-date]]
+=== Keeping dependencies up-to-date
+
+To protect our users, {companyname} ensures that the TinyMCE dependencies are updated before the next version (major or minor) is released.
+
 [[enforcing-https-with-hsts]]
-=== Enforcing HTTPS with HSTS
+== Enforcing HTTPS with HSTS
 
 The {companyname} security team strongly recommends that customers embedding {productname} configure their web servers to include the HTTP Strict Transport Security (HSTS) header for websites served over HTTPS. This can be achieved by updating the server configurations to enable HSTS.
 
@@ -70,11 +77,6 @@ For comprehensive guidance on implementing HSTS, refer to the following resource
 * link:https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html[OWASP HSTS Cheat Sheet]
 * link:https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security[MDN Documentation on HSTS]
 
-[[keeping-dependencies-up-to-date]]
-=== Keeping dependencies up-to-date
-
-To protect our users, {companyname} ensures that the TinyMCE dependencies are updated before the next version (major or minor) is released.
-
 include::partial$misc/general-csp.adoc[]
 
 [[general-security-risks-for-user-input-elements]]
