Confirm
529
edits
Changes
Add security checklist
==== 3.3 Partner with external firms to monitor our security ====
We can’t do everything ourselves. External security firms can help us keep an eye on and audit our services. Some of their work may be redundant with current efforts, such as automated security testing, but would help cover the interim. We should evaluate various vendors and partner with the ones that have the best support of our technologies.
== Security Checklist ==
All services integrated with Firefox or that provide services to Firefox users must follow the security rules listed below.
=== Infrastructure rules ===
* Use [https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility modern TLS] ('''INFRA-TLS''')
* Set HSTS to 2592000 (30 days) ('''INFRA-HSTS''')
* Set HPKP to 2592000 (30 days) ('''INFRA-HPKP''')
* Admin panels must only be available behind VPN and require LDAP auth ('''INFRA-ADMIN''')
=== Coding rules ===
The following rules apply to all web applications: api and websites.
* Detailed logging in mozlog format ('''APP-MOZLOG''')
** Business logic must be logged with app specific codes (errno)
** Access control failures must be logged at WARN level
* All SQL queries must be parameterized, not concatenated ('''APP-SQL''')
* User data must be escaped for the right context prior to reflecting it ('''APP-ESCAPE''')
* Apply sensible limits to user inputs, see [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation Input validation] ('''APP-INPUTVAL''')
* Enforce Access Controls server-side ('''APP-ACL''')
* Set the Secure flag on [https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies Cookies], and use sensible Expiration and HTTPOnly ('''APP-SECCOOKIE''')
* Keep 3rd-party libraries up to date ('''APP-DEPS''')
** Use [https://nodesecurity.io/ NSP] or [https://greenkeeper.io/ Greenkeeper] for NodeJS applications
** Use pip --outdated or [https://requires.io/ requires.io] for Python applications
* When handling cryptographic keys, must have a mechanism to handle monthly key rotations ('''APP-KEYROT''')
==== For websites ====
The following coding rules only apply to websites.
* Never store passwords, use Firefox Accounts ('''APP-IDP''')
* Forbid Mixed content, always use HTTPS ('''APP-MIXCONTENT''')
* Must have a CSP with ('''APP-CSP''')
** a report-uri pointing to the service /__cspreport__
** frame-options set to deny
** no use of unsafe-inline or unsafe-eval
* Must have CSRF tokens and manually excluded specific forms ('''APP-CSRF''')
* Must have checksums for 3rd-party content via SRI ('''APP-SRI''')
* Consider Security headers as appropriate ('''APP-HEADERS''')
** X-Content-Type-Options
** X-Frame-Options
** X-XSS-Protection
=== Data rules ===
* Sensitive user data (like browsing history) stored on our servers must either be:
** Anonymized (similar to Tiles) ('''DATA-ANON''')
** Encrypted client-side (similar to Sync) ('''DATA-CRYPT''')
* Must sign data and code pushed to Firefox clients ('''DATA-SIGN''')
** Addons must use standard AMO signing ('''APP-SIGNING''')
** Code & Conf must use Content-Signature via Autograph ('''DATA-SIGNING''')
* Must implement a sign-off protocol when changing data/code to the beta and release channels, see [https://docs.google.com/document/d/12QJ4BjYraJpbLM-8za6FCiOLoHmWKGsyVK_PbShwMuA/edit# Firefox Continuous Delivery Sign Off]
== Sites and Services ==
