Confirm
529
edits
Changes
→Security Checklist
* Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc.
* [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests
Security Features
-----------------
* [ ] Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.
* [ ] Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review
* Store session keys server side (typically in a db) so that they can be revoked immediately.
* Session keys must be changed on login to prevent session fixation attacks.
* Session cookies must have HttpOnly and Secure flags set.
* For more information about potential pitfalls see the [OWASP Session Management Cheet Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet)
* [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.
Databases
