67
edits
No edit summary |
|||
| Line 19: | Line 19: | ||
* Account creation with blacklisted password support | * Account creation with blacklisted password support | ||
* (Possible) Secure Password Reset | * (Possible) Secure Password Reset | ||
''How'' | |||
* Login with database and different users | |||
=== Access Control === | === Access Control === | ||
* Presentation, Business, Data Layer Access Control | * Presentation, Business, Data Layer Access Control | ||
** Presentation and Data layers use decorators | |||
** Read about presentation layer protection | |||
* (Possible) Two tier design for admin account separation | * (Possible) Two tier design for admin account separation | ||
** The picture of separate control of changing passwords | |||
=== Input Validation === | === Input Validation === | ||
| Line 29: | Line 34: | ||
* File Handling | * File Handling | ||
* SQL | * SQL | ||
* Content Security Policy | * Content Security Policy | ||
** outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters | |||
* (Possible) Third party service | * (Possible) Third party service | ||
* (Possible) Third party hosted images. Initial processing and per visit processing? | * (Possible) Third party hosted images. Initial processing and per visit processing? | ||
| Line 36: | Line 42: | ||
* Full & correct TLS | * Full & correct TLS | ||
* HTTP Strict Transport Security | * HTTP Strict Transport Security | ||
''How'' | |||
* Follow [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Introduction these rules] | |||
=== Cross Domain Controls === | === Cross Domain Controls === | ||
* X-frame-options | * X-frame-options in header options | ||
=== Cookie Protection === | === Cookie Protection === | ||
| Line 45: | Line 53: | ||
== Roadmap == | == Roadmap == | ||
# Setup playdoh & github | # X Setup [[https://github.com/mozilla/playdoh/ playdoh]] & [https://github.com/haoqili/MozSecWorld github] | ||
# Running HelloWorld | # X Running HelloWorld | ||
# Design Planning | # X Design Planning | ||
# Code basic item first (x-frame-options) | # Make "about" pages for each bullet above | ||
#* have a generic django template | |||
# Code basic item first (x-frame-options, secure flag, httponly flag) | |||
# Use bleach for rich text. | |||
# add decorators for data and business layers | |||
# read about presentation layer | |||
# Complete initial presentation layer and CSS for basic item | # Complete initial presentation layer and CSS for basic item | ||
# Setup backend database | # Setup backend database | ||
# Authentication | # Authentication/login | ||
# File upload stuff | |||
== Links References == | == Links References == | ||
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines | https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines | ||
edits