Confirm
529
edits
Changes
no edit summary
* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation)
* POST body size should be small (<500kB) unless explicitly needed
* [ ] When allowing users to upload or generate content, make sure to host that content on a separate domain (eg. firefoxusercontent.com, etc.). This will prevent malicious content from having access to storage and cookies from the origin.
* Also use this technique to host rich content you can't protect with a CSP, such as metrics reports, wiki pages, etc.
* [ ] When managing permissions, make sure access controls are enforced server-side
* [ ] If caching is used then an authenticated user accesses protected resource, make sure that any data the pages with those resource arent cached does not incorrectly allow allow access and served up to data protected by access controlunauthenticated users (like via a CDN).
* [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations
* Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
