sandbox="" attribute should always be added to iframes with untrusted or third-party sources. The attribute enables different types of iframe content restrictions like script or form execution.
crossorigin="anonymous" attribute should always be added to external ressources so no user credentials are transmitted. By loading external files with a GET request, http user credentials are exchanged by default. If the source host is corrupted, an attacker could these details for attacks.
integrity="sha256-..." attribute should always be added to external file hosted on another domain, because an unexpected manipulation / corruption of the code can lead to session hijacking or similar script releated attacks.
rel="noreferrer" attribute should always be added to external links to prevent reverse tabnabbing for older browser, which do not support the
rel="noopener" attribute and to prevent phishing attacks.
If a resource is loaded over
src="http://...", it may not be transmitted over the TLS protocol. In case the webpage is loaded over HTTPS, this results in a mixed content situation where the page is securely loaded but has unencrypted resources embedded. This will often lead to a mixed-content browser warning, but at the time this is reported, it is most likely to late and the attack could have already succeeded.
<meta name="generator" content="WordPress x.x"></meta> and the
<meta content="deny" http-equiv="X-Frame-Options"></meta> meta-tags should always be removed from the html body since the generator tag provides critical informations about the used CMS and the X-Frame-Options must be specified as HTTP Headers and not as a meta tag. Most browser will ignore the meta tag, which can lead to unintended misbehaviour.
Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website where unauthorized commands are transmitted from a authenticated user on the web application. One way of performing such an attack is to observe the HTML code of a website for session tokens like in
<input> tags, which should never be stored inside of the HTML-document.
If the debugging is enabled on a production server, it may give an agressor valuable informations about the inner structure of a web application. These can be used to find vulnerabilities for injections or other type of attacks. Therefore, debugging should always be disabled.