Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
Jump to navigation
Jump to search
Security/FirefoxOperations (view source)
Revision as of 15:34, 29 September 2016
, 29 September 2016no edit summary
No edit summary |
|||
| Line 177: | Line 177: | ||
* [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**) | * [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**) | ||
* [ ] Must have a CSP with (**APP-CSP**) | * [ ] Must have a CSP with (**APP-CSP**) | ||
* [ ] a report-uri pointing to the service /__cspreport__ | * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint | ||
* [ ] | * [ ] if default-src is not `self`, child-src should be `none` or only allow specific origins | ||
* [ ] no use of unsafe-inline or unsafe-eval | * [ ] no use of unsafe-inline or unsafe-eval | ||
* [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**) | * [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**) | ||