Changes

Jump to: navigation, search

Security/FirefoxOperations

516 bytes added, 17:20, 30 January 2017
no edit summary
The following rules apply to all web applications: api and websites.
* [ ] Sign all release tags, and maybe commits (**APP-COMMITSIG**) * Developers should [configure git to sign all commitstags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
* [ ] Detailed logging in mozlog format (**APP-MOZLOG**)
* Business logic must be logged with app specific codes (errno)
* Access control failures must be logged at WARN level
* [ ] Must have a CSP with (**APP-CSP**) * [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint * [ ] web APIs should set `default-src` to `none`, disallowing all content rendering * [ ] if default-src is not `self`, frame-src should be `none` or only allow specific origins * [ ] no use of unsafe-inline or unsafe-eval* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s
* [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**)
* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)
* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**)
* [ ] Enforce Access Controls server-side (**APP-ACL**)
* [ ] Never store passwords, use Firefox Accounts (**APP-IDP**)
* [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**)
* [ ] Must have a CSP with (**APP-CSP**)
* [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint
* [ ] if default-src is not `self`, child-src should be `none` or only allow specific origins
* [ ] no use of unsafe-inline or unsafe-eval
* [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**)
* [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**).
* Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
* Consider Security Set the following security headers as appropriate (**APP-HEADERS**)
* [ ] X-Content-Type-Options
* [ ] X-Frame-Options
Ulfr
Confirm
529
edits
Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1161395"

Navigation menu