WebAppSec/MozSecureWorld: Difference between revisions

Jump to navigation Jump to search
no edit summary
No edit summary
Line 19: Line 19:
* Account creation with blacklisted password support
* Account creation with blacklisted password support
* (Possible) Secure Password Reset  
* (Possible) Secure Password Reset  
''How''
* Login with database and different users


=== Access Control ===
=== Access Control ===
* Presentation, Business, Data Layer Access Control
* Presentation, Business, Data Layer Access Control
** Presentation and Data layers use decorators
** Read about presentation layer protection
* (Possible) Two tier design for admin account separation
* (Possible) Two tier design for admin account separation
** The picture of separate control of changing passwords


=== Input Validation ===
=== Input Validation ===
Line 29: Line 34:
* File Handling
* File Handling
* SQL  
* SQL  
* Content Security Policy
* Content Security Policy  
** outsource all javascript source! for the CSP demo as 2nd barrier beyond escaping characters
* (Possible) Third party service
* (Possible) Third party service
* (Possible) Third party hosted images. Initial processing and per visit processing?
* (Possible) Third party hosted images. Initial processing and per visit processing?
Line 36: Line 42:
* Full & correct TLS
* Full & correct TLS
* HTTP Strict Transport Security
* HTTP Strict Transport Security
''How''
* Follow [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Introduction these rules]


=== Cross Domain Controls ===
=== Cross Domain Controls ===
* X-frame-options
* X-frame-options in header options


=== Cookie Protection ===
=== Cookie Protection ===
Line 45: Line 53:


== Roadmap ==
== Roadmap ==
# Setup playdoh & github
# X Setup [[https://github.com/mozilla/playdoh/ playdoh]] & [https://github.com/haoqili/MozSecWorld github]
# Running HelloWorld  
# X Running HelloWorld  
# Design Planning
# X Design Planning
# Code basic item first (x-frame-options)
# Make "about" pages for each bullet above
#* have a generic django template
# Code basic item first (x-frame-options, secure flag, httponly flag)
# Use bleach for rich text.
# add decorators for data and business layers
# read about presentation layer
# Complete initial presentation layer and CSS for basic item
# Complete initial presentation layer and CSS for basic item
# Setup backend database
# Setup backend database  
# Authentication
# Authentication/login
# File upload stuff


== Links References ==
== Links References ==
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
67

edits

Navigation menu