Confirm
529
edits
Changes
no edit summary
* Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
* [ ] Keep enable security scanning of 3rd-party libraries up to dateand dependencies * Use [NSP`nsp check`](https://nodesecurity.io/) or for node.js (see usage in [GreenKeeperFxA](https://greenkeepergithub.iocom/mozilla/fxa-customs-server/search?utf8=%E2%9C%93&q=nsp&type=) and [screenshots](https://github.com/mozilla-services/screenshots/ Greenkeepersearch?utf8=%E2%9C%93&q=nsp&type=)) for NodeJS applications * For Python applications, enable pyup security updates:
* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)
* Enable branch protection for master and other development branches. Make sure the approved-mozilla-pyup-configuration team *CANNOT* push to those branches. * From the "add a team" dropdown for your repo add /settings page * Add the relevant "Approved Mozilla PyUp Configuration" team for your github org (e.g. for [mozilla](https://github.com/orgs/mozilla/teams/approved-mozilla-pyup-configuration) and [mozilla-services](https://github.com/orgs/mozilla-services/teams/approved-mozilla-pyup-configuration)) and grant * Grant it write permission.so it can make pull requests * Notify notify secops@mozilla.com to enable the integration in pyup * Consider using [ ] Keep 3rd-party libraries up to date (in addition to the security updates) * For NodeJS applications, use [renovate](https://renovateapp.com/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) * For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) tooor pyup outdated checks * For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions
* [ ] Integrate static code analysis in CI, and avoid merging code with issues
* Javascript applications should use ESLint with the [Mozilla ruleset](https://developer.mozilla.org/en-US/docs/ESLint)
* Store session keys server side (typically in a db) so that they can be revoked immediately.
* Session keys must be changed on login to prevent session fixation attacks.
* Session cookies must have HttpOnly and Secure flags setand the SameSite attribute set to 'strict'. * For more information about potential pitfalls see the [OWASP Session Management Cheet Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet)
* [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.
* [ ] If you are building a core Firefox service, consider adding it to the list of restricted domains in the preference `extensions.webextensions.restrictedDomains`. This will prevent a malicious extension from being able to steal sensitive information from it, see [bug 1415644](https://bugzilla.mozilla.org/show_bug.cgi?id=1415644).
* Javascript applications should use [DOMPurify](https://github.com/cure53/DOMPurify/)
* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation)
* POST body size should be small (<500kB) unless explicitely explicitly needed
* [ ] When managing permissions, make sure access controls are enforced server-side
* [ ] If caching is used then make sure that any data cached does not incorrectly allow allow access to data protected by access control
* [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations
* Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
