Web browsers must not execute Java content from the internet
Ensure web browsers block Java content from the internet to reduce security risks.
Plain language
This control is about making sure your web browser doesn't run Java content from the internet, which can be a security risk. If Java content is allowed to run, it could be used by hackers to harm your computer or steal your information. It's like cutting off a potential way for crooks to break into your digital space.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Application hardening
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML1
Official control statement
Web browsers do not process Java from the internet.
Why it matters
Allowing Java in web browsers can lead to serious breaches, as attackers exploit it for drive-by downloads and remote code execution.
Operational notes
Regularly audit browser and plugin settings to ensure Java is blocked for internet content, as updates or user changes can re-enable it.
Implementation tips
- IT team should review all web browsers used in the organisation to ensure they don't run Java content by changing browser settings or installing appropriate security add-ons.
- System administrators should disable or remove Java plug-ins from web browsers to prevent Java content from running. This can be done through the browser's settings or group policies.
- Security personnel should use web content filters to block Java content from websites accessed through the internet. This involves setting up rules that prevent Java from being downloaded or executed.
- Office managers should communicate with employees about why Java is disabled on web browsers and the importance of not enabling it. This can be part of a regular security briefing.
Audit / evidence tips
-
AskWhat steps have been taken to ensure web browsers do not run Java content?
-
GoodThere are group policy settings that clearly show Java is disabled across all browsers, and there is documentation or evidence of regular checks being conducted
-
AskWhich add-ons or extensions are installed on web browsers that relate to Java?
-
GoodNo active Java-related extensions are found, or they are clearly marked as disabled
-
AskHow are employees made aware of the policy regarding Java content?
-
GoodDocumented employee communications with clear guidelines against enabling Java in browsers, reinforced by security briefings
Cross-framework mappings
How E8-AH-ML1.2 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.23 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet to reduce exposure to exploitation via browser-borne... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-0963 | ISM-0963 requires organisations to implement web content filtering to block potentially harmful web-based content | |
| ISM-1485 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet to reduce the attack surface from active content exe... | |
| handshake Supports (3) expand_less | ||
| ISM-0260 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
| ISM-0958 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
| ISM-1585 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
| link Related (2) expand_less | ||
| ISM-0961 | E8-AH-ML1.2 requires that web browsers do not process Java content from the internet | |
| ISM-1486 | E8-AH-ML1.2 requires that web browsers do not process Java content sourced from the internet | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.