Changes

Jump to: navigation, search

Security/FirefoxOperations

8 bytes added, 11:52, 29 September 2016
no edit summary
<source lang:markdown>
Risk Management
---------------
* [ ] The service must have performed a Rapid Risk Assessment and have a Risk Record bug (**SVC-RRA**).
* [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**)
* [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**)
* `Public-Key-Pins: max-age=300; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; report-uri="/__hpkpreport__";`
* Start with max-age set to 5 minutes and increase gradually
* Pin to the EV and DV roots of Digicert
* Set a reporting endpoint [ ] If the service is not hosted under `/__hpkpreport__services.mozilla.com` , it must be manually added to catch violations in nginx ([example confFirefox's preloaded pins](https://githubdxr.commozilla.org/mozilla-services/puppet-config/blob/HEADcentral/amosource/modulessecurity/amo_proxymanager/templatestools/nginxPreloadedHPKPins.hpkpreportjson#184).conf.erb))
* If service has an admin panels, it must:
* [ ] only be available behind Mozilla VPN (which provides MFA) (**INFRA-ADMINVPN**)
Ulfr
Confirm
529
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1149638"

Navigation menu