Confirm
529
edits
Changes
no edit summary
-----------
* [ ] Ensure your code repository is configured and located appropriately:
* Only designated people [ ] Application built internally should be allowed to push to production branches. ([hosted in trusted GitHub protected branches]organizations (https://help.github.com/articles/configuringmozilla, mozilla-services, mozilla-bteam, mozilla-protectedconduit, mozilla-branches/mobile, taskcluster).) * Branch protections Sometimes we build and deploy applications we don't fully control. In those cases, the Dockerfile that builds the application container should always apply to administrators as wellbe hosted in its own repository in a trusted organization. * Host [ ] Secure your repository in a trusted organization (one that follows by implementing [EIS RecommendationsMozilla's GitHub security standard](https://managithub.com/mozilla.org/wiki/display/POLICIES-services/Standard%3A+GitHub+repositories+and+organizations)). A list is maintained [here](https:/-Audit/wiki.mozilla.orgblob/Githubmaster/Trusted_Organizations)checklist. * Ensure all contributors are in compliance with the [user guidelines](https://wiki.mozilla.org/Github/Repository_Security#Membershipmd) * Elevated permissions should be granted to teams, not individual accounts, whenever possible. (Only org members can be part of a team.)
* [ ] Sign all release tags, and ideally commits as well
* Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com
* Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).
* For more information about potential pitfalls see the [OWASP Session Management Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet)
* [ ] Form that change state should use anti CSRF tokens. Anti CSRF tokens can be dropped for internal sites using SameSite session cookies where we are sure all users will be on Firefox 60+. Forms that do not change state (e.g. search forms) should use the 'data-no-csrf' form attribute.
* [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.
* [ ] If you are building a core Firefox service, consider adding it to the list of restricted domains in the preference `extensions.webextensions.restrictedDomains`. This will prevent a malicious extension from being able to steal sensitive information from it, see [bug 1415644](https://bugzilla.mozilla.org/show_bug.cgi?id=1415644).
