Confirm
529
edits
Changes
no edit summary
--------------------
* [ ] Access and application logs must be archived for a minimum of 90 days* [ ] Use [Modern](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) or [Intermediate TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility) TLS (**INFRA-TLS**)
* [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**)
* `strict-transport-security: max-age=31536000`
* [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**)
* `Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";`
The following rules apply to all web applications: api and websites.
* [ ] Sign all release tags, and maybe commits as well (**APP-COMMITSIG**)
* Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
* [ ] Detailed logging Publish detailed logs in [mozlog ](https://github.com/mozilla-services/Dockerflow/blob/master/docs/mozlog.md) format (**APP-MOZLOG**)
* Business logic must be logged with app specific codes (errno)
* Access control failures must be logged at WARN level
* [ ] no use of unsafe-inline or unsafe-eval
* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)
* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s(**APP-NOHTML**)
* [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**)
* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**)
* [ ] Enforce Access Controls When managing permissions, make sure access controls are enforced server-side (**APP-ACL**)* [ ] Set the Secure flag and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration and HTTPOnly (**APP-SECCOOKIE**)
* Keep 3rd-party libraries up to date (**APP-DEPS**)
* [ ] Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
* [ ] X-XSS-Protection
* [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org)
* [ ] Forbid the use of third party resources (GA, optimizely, ...) on sites that have privileges permissions in Firefox (AMO, testpilot)
Data rules
