Changes

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.1+TDS&quot; <span style="color:white;">'''2 1 HIGH'''<br />'''4 MEDIUM'''<br />'''4 6 LOW'''<br /></span>]

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.2+fraud+detection&quot; <span style="color:white;">'''3 2 HIGH'''<br />'''2 MEDIUM'''<br />'''1 2 LOW'''<br /></span>]| style="background-color: #4a6785ffd351;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.3+identity+management&quot; <span style="color:whiteblack;">'''1 3 MEDIUM'''<br />'''1 LOW'''<br /></span>]

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;1.4+infra+hardening&quot; <span style="color:white;">'''1 HIGH'''<br />'''4 MEDIUM'''<br />'''4 3 LOW'''<br /></span>]

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.12+riskappsec+assessmentbaseline&quot; <span style="color:black;">'''1 HIGH'''<br />'''1 2 MEDIUM'''<br />'''1 3 LOW'''<br /></span>]| style="background-color: #ffd3514a6785;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;23.21+appsec+baselinesignature&quot; <span style="color:blackwhite;">'''1 HIGH'''<br />'''2 MEDIUM'''<br />'''2 LOW'''<br /></span>]

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.1+signature&quot; <span style="color:white;">'''2 LOW'''<br /></span>]| style="background-color: #d04437;"|[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.3+security+communication&quot; <span style="color:white;">'''2 HIGH'''<br />'''1 MEDIUM'''<br />'''3 4 LOW'''<br /></span>]

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;2.4+bug+bounty&quot; <span style="color:white;">'''1 MEDIUM'''<br />'''1 LOW'''<br /></span>]

[https://github.com/mozilla-services/cloudsec/issues?q=is%3Aopen+is%3Aissue+label%3A&quot;3.3+external+audits&quot; <span style="color:white;">'''1 HIGHMEDIUM'''<br />'''1 LOW'''<br /></span>]

All services integrated with Firefox or that provide See https://github.com/mozilla-services /cloudsec/blob/master/security_checklist.md The checklist below is in MARKDOWN format to Firefox users must follow the security rules listed belowbe copy/pasted into Github issues.

=== <code>Infrastructure rules ===--------------------

* [ ] Use [Modern TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility modern TLS] ) ('''**INFRA-TLS'''**)* [ ] Set HSTS to 2592000 31536000 (30 days1 year) ('''**INFRA-HSTS'''**)* [ ] Set HPKP to 2592000 5184000 (30 60 days) ('''**INFRA-HPKP'''**) * `Public-Key-Pins: max-age=300; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__";` * Start with max-age set to 5 minutes and increase gradually * Pin to the EV and DV roots of Digicert * Set a reporting endpoint `/__hpkpreport__` to catch violations in nginx ([example conf](https://github.com/mozilla-services/puppet-config/blob/HEAD/amo/modules/amo_proxy/templates/nginx.hpkpreport.conf.erb))* Admin If service has an admin panels , it must: ** [ ] only be available behind Mozilla VPN (which provides MFA) ('''**INFRA-ADMINVPN'''**) ** [ ] require LDAP authentication ('''**INFRA-ADMINLDAP'''**) ** [ ] enforce a two-man rule on sensitive changes ('''**INFRA-2MANRULE'''**)

=== Coding rules ===------------

* [ ] Sign all commits (**APP-COMMITSIG**) * Developers should [configure git to sign all commits](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com * [ ] Detailed logging in mozlog format ('''**APP-MOZLOG'''**)* * Business logic must be logged with app specific codes (errno)* * Access control failures must be logged at WARN level * [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**)* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**)* [ ] Enforce Access Controls server-side (**APP-ACL**)* [ ] Set the Secure flag on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration and HTTPOnly (**APP-SECCOOKIE**)* Keep 3rd-party libraries up to date (**APP-DEPS**) * [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications * [ ] Use pip --outdated or [requires.io](https://requires.io/) for Python applications* [ ] If handling cryptographic keys, must have a mechanism to handle monthly key rotations (**APP-KEYROT**) * [ ] All keys must be rotated quarterly. * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.

* All SQL queries must be parameterized, not concatenated ('''APP-SQL''')* User data must be escaped for the right context prior to reflecting it ('''APP-ESCAPE''')* Apply sensible limits to user inputs, see [https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation Input validation] ('''APP-INPUTVAL''')* Enforce Access Controls server-side ('''APP-ACL''')* Set the Secure flag on [https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies Cookies], and use sensible Expiration and HTTPOnly ('''APP-SECCOOKIE''')* Keep 3rd-party libraries up to date ('''APP-DEPS''')** Use [https://nodesecurity.io/ NSP] or [https://greenkeeper.io/ Greenkeeper] for NodeJS applications** Use pip --outdated or [https://requires.io/ requires.io] for Python applications* When handling cryptographic keys, must have a mechanism to handle monthly key rotations ('''APP-KEYROT''')# Additional websites requirements

==== For websites ====The following coding rules only apply to websites, not web apis.

* [ ] Never store passwords, use Firefox Accounts ('''**APP-IDP'''**)* [ ] Forbid Mixed content, always use HTTPS ('''**APP-MIXCONTENT'''**)* [ ] Must have a CSP with ('''**APP-CSP'''**) ** [ ] a report-uri pointing to the service /__cspreport__ ** [ ] frame-options set to deny ** [ ] no use of unsafe-inline or unsafe-eval* [ ] Must have CSRF tokens and manually excluded specific forms ('''**APP-CSRF'''**)* Must have [ ] Should consider having checksums for 3rd-party content via SRI ('''**APP-SRI**). * Trusted 3rd parties, like Google Analytics, don'''t need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).* Consider Security headers as appropriate ('''**APP-HEADERS'''**) ** [ ] X-Content-Type-Options ** [ ] X-Frame-Options ** [ ] X-XSS-Protection

=== Data rules ===----------

* Sensitive When storing sensitive user data (like browsing history) stored on our Mozilla servers must either be: ** Anonymized [ ] Anonymize it (similar to Tiles) ('''**DATA-ANON'''**) ** Encrypted [ ] Encrypt it client-side (similar to Sync) ('''**DATA-CRYPT'''**) * Must sign [ ] If user data must be stored non-anonymized and in clear text, you must talk to the security and code pushed legal teams about it.* If the service pushes data to Firefox clients , like when distributing blacklists or pushing updates, cryptographic signatures must be used. ('''**DATA-SIGN'''**) ** [ ] Addons must use standard AMO signing ('''**APP-SIGNING'''**) ** [ ] Code & Conf must use Content-Signature via [Autograph ]('''DATA-SIGNING''')* Must implement a sign-off protocol when changing data/code to the beta and release channels, see [https://docs.googlegithub.com/documentmozilla-services/d/12QJ4BjYraJpbLMautograph) (**DATA-8za6FCiOLoHmWKGsyVK_PbShwMuASIGNING**)</edit# Firefox Continuous Delivery Sign Off]code>