Mozilla’s HTTP Observatory CLI and the Qualys SSL Labs Server Test are good resources for finding potential problems and ensuring compliance with security best practices.
Including external resources
Google Analytics and Piwik - and only when the instance has enabled it. Assets
should always be hosted and served locally from the GitLab instance. Embedded
iframes should never be used except in certain circumstances
such as with reCAPTCHA, which cannot be used without an
Avoiding inline scripts and styles
In order to protect users from XSS vulnerabilities, we will disable inline scripts in the future using Content Security Policy.
While inline scripts can be useful, they’re also a security concern. If user-supplied content is unintentionally left un-sanitized, malicious users can inject scripts into the web app.
Inline styles should be avoided in almost all cases, they should only be used when no alternatives can be found. This allows reusability of styles as well as readability.