Changes

* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.

* [ ] enable security scanning of 3rd-party libraries and dependencies

* For Python, enable pyup security updates:

* Add a pyup config to your repo (example config: https://github.com/mozilla-services/antenna/blob/master/.pyup.yml)

* notify secops@mozilla.com to enable the integration in pyup

* [ ] Keep 3rd-party libraries up to date (in addition to the security updates)

* For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks

* For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions

* Access control failures must be logged at WARN level

----------------

* [ ] Must have a CSP with

* [ ] if default-src is not `none`, frame-src, and object-src should be `none` or only allow specific origins

* [ ] no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src

* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s

* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration