Key changes present in the updated minimum standard compared with the respective previous version are listed here. To keep the list relatively compact and enable comparisons to be made more easily, only major contextual changes are listed. Structural changes, changes to wording and minor updates (e.g. version changes for referenced documents) are therefore not described or are summarised only.

Version 3.0 from 19 February 2024

General

• Extension of the scope to include mobile browsers, correponding notes added to the introductory chapter
• New standardized minimum standard foreword based on IT-SiG 2.0
• Formal adjustments
• Explanation of the division of security requirements into "Product" (subchapter 2.1) and "Operation" (subchapter 2.3)

Security requirements

WB.2.1.01 - Trustworthy communication

• a) Various classifications and additions to the sub-item "it SHALL be possible to withdraw trust from any certification locally."
• c) Carifications, addition of mixed content, supplemantary note on qualified website certificates (QWACQualified Website Authentication Certificate)

WB.2.1.02 -Updates

• Shortening and reformulation

WB.2.1.03 - Protection of trusted data

• a) "Reading" of cookies added; automatic deletion of cookies when the browser ist closed is no longer required
• New sub-item c): "It MUSTbe possible to allow access to camera, microphone and location ONLY after explicit consent by the user."
• Possibility added that users are organizationally obliged not to change predefined configurations (if central administration cannot be technically enforced, e.g. for mobile browsers)
• New sub-item e): "It SHALL be possible to run a context-free browser instance ("incognito" or "private mode") that does not take into account any previously stored data (cookies, website data, cache, download history) and delete data generated during the session after this browser instance ist closed."

WB.2.1.04 - Check for harmful content

• Request changed to "External services"

WB.2.1.05 - Same-Origin-Policy

• Specification, supplementation of Cross-Origin Resource Sharing (CORS)

WB.2.1.06 - Secure configuration

• b) Possibility added that the basic configuration is fulfilled by corresponding standard configuration on delivery instead of being centrally applicable (if central administration cannot be technically enforced, e.g. for mobile browsers)
• c) Possibility added tha users are organizationally obliged not to change predefined configurations (if central administration cannot be technically enforced, e.g. for mobile browsers)
• e) (old) Requirement for multiple browsers configurations deleted
• New sub-item e): "Alternative protocols for resolving DNS queries (e.g. DNS over HTTPS (DoH) or DNS over TLS (DoT) MUST be deactivatable."

WB.2.1.07 - WB.2.1.08

• Various specifications

WB.2.2.01 - Development

• Specification

WB.2.2.02 - Update

• Addition of platform updates, especially for mobile browsers
• Adjustment of the update time for critical vulnerabilities to 28 days
• New requirement for critical vulnerabilities: “If the vulnerability is already publicly exploited, updates MUST be provided after 7 days at the latest.”

WB.2.2.03 - Contact possibility

• Specification

WB.2.3.02 - Administration

• c) Possibility added that the basic configuration is fulfilled by corresponding standard configuration on delivery instead of being centrally applicable (if central administration cannot be enforced technically, e.g. for mobile browsers)

WB.2.3.03 - Extensions

• Supplement for mobile browsers: “Since there are fewer extensions in the mobile area and no direct installation from any source is possible, the permitted use can also be regulated organizationally.”
• Additional note on security requirements for extensions in general: “In addition, this minimum standard for web browsers does not specify any requirements for extensions, as these are to be treated in the same way as other software as part of the institution's information security management. In particular, the requirements of the IT-Grundschutz module 'APP.6 General software' also apply to web browser extensions.”

WB.2.3.04 - Basic configuration

• Various explanations added
• e) (old) Request removed
• e) (new) New requirement: “In federal networks, ONLY the institution's internal DNS resolver MAY be used for the DNS resolution of the web browser.”
• g) Exception for password managers added: “There is an exception for password managers, provided they meet the requirements of WB.2.3.06.”
• h) (old) Requirement removed
• New sub-item i): “Access to the camera, microphone and location MUST NOT take place without the explicit consent of the user.”
• j) (old) Requirement removed
• k) (old) Requirement removed
• o) (new) New requirement: “Access to browser functions and data by digital voice assistance systems SHOULD be disabled.”

WB.2.3.05 - Check for harmful content

• Change to warning before accessing websites classified as malicious (instead of preventing access); reference to local verification

WB.2.3.06 - Password manager

• Specifications
• b) Encryption of passwords generalized to “Protection against access outside the web browser”; note on mobile browsers added

WB.2.3.07 - Updates/Patches

• b) Tightening up the wording that measures must be implemented after 7 days at the latest (instead of “taken”)
• c) Specification that forward-looking checks must be carried out

Version 2.1 from 25 June 2020

General

• Title change for the ‘BSI minimum standard for web browsers’
• Update of the browser comparison table – new Microsoft Edge added
• Formal adjustments and some minor rewording

Security requirements

Trusted communication – certificates

• Adjustments to formulation (instead of explicit list of certificate types, support for the X-509 standard is required)

Updates

• Requirement for update processes for independent programs relocated to requirement 2.3.07 d)
• Subsection ‘Updates MUST be displayed reliably’ removed

Password manager

• The requirement for a built-in browser password manager was removed from chapter 2.1. Chapter 2.3 includes the recommendation to use external password managers. Applicable only in cases where the browser’s own password manager is to be used, this manager must fulfil the minimum corresponding security requirements (these are now listed at an appropriate location in chapter 2.3).

Protection of confidential data – transfer of usage data

• ‘Usage data’ reformulated as ‘telemetry data’ and addition of a terminology definition

Secure configuration

• Addition to subsection c): ‘Steps MUST be taken to prevent changes to centralised configurations by users.’

Minimum rights

• Requirement shortened

Sandboxing and encapsulation

• Requirement shortened

Content Security Policy (CSP)

• Note on potential deviations added

Transparency

• Requirement renamed to ‘Documentation’
• Details provided about the requirements that transparent documentation needs to fulfil

Version 2.0 from 19 September 2019

General

• Formal revision (table removed, numbering adjusted)
• Summary of introductory chapters, removal of background information (incl. 'Threats' and 'Web browser setup')
• Removal of help document (inclusion of relevant information in the main document and comparison table)
• Updating of browser comparison table

Security requirements

Trusted communication – certificates

• Explicit requirement for Domain Validation (DV), Organisation Validation (OV) and Extended Validation (EV)
• Extension of own root certificates

Trusted communication – certificate checking

• Information about the Certification Path Validation Test Tool (CPT) from the BSI

Trusted communication – presentation of communication format

• Option to display encryption details to the user is no longer required
• Requirement to have the complete domain displayed for current pages

Trusted communication – HTTP Strict Transport Security (HSTS)

• Comment on tracking protection

Identification and authentication – password managers

• Requirement must be observed only if a built-in browser password manager is being used (is not recommended in the Operations chapter)
• Storage of passwords ‘encrypted’ instead of ‘protected’

Protection of confidential data – website data and cache

• Additional consideration of website data and cache

Protection of confidential data – transfer of usage data

• New requirement

Checking for harmful content – implementation of protective mechanisms

• Implementation is not a requirement. Instead, it must be possible to deactivate mechanisms that communicate with external services.

Secure configuration – browser instances

• Information added

Subresource Integrity

• New requirement

Data security

• Requirement removed (formerly 4.2.2.4)

Transparency

• New requirement (SW.2.2.04)

Network environment

• Requirement removed, since not within regulatory scope of this minimum standard (formerly 4.3.1)

Extensions

• New requirement (SW.2.3.03)

Base configuration

• Various adjustments and additions

Checking for harmful content

• New requirement (SW.2.3.05)

Password security

• Replacement of ‘password quality’ requirement with ‘password manager’ requirement (SW.2.3.06)

Updates/patches

• Information about browsers no longer supported