Confirmed users
971
edits
Where's My Fox Security Review: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 62: | Line 62: | ||
This might be just code for testing. If so then it should probably be removed? | This might be just code for testing. If so then it should probably be removed? | ||
=== API | === API Input Validation === | ||
HIGH RISK - Input validation is generally lacking. | HIGH RISK - Input validation is generally lacking. | ||
| Line 76: | Line 74: | ||
https://github.com/jrconlin/wmf/blob/master/src/mozilla.org/wmf/handlers.go#L319 | https://github.com/jrconlin/wmf/blob/master/src/mozilla.org/wmf/handlers.go#L319 | ||
=== API Keys === | |||
Just a MapBox key. | Just a MapBox key. | ||
=== API Abuse === | |||
Resource exhaustion, the usual. Not sure if we should be worried about it in the app itself. May be better for a front-end proxy? | |||
=== Internals Exposure === | |||
Are /metrics and /status supposed to be public? I don't think they expose anything critical but still .. is this info we want others to capture? | |||
=== Frontend === | === Frontend === | ||
I see some inline javascript in the frontend. I understand this is not the final frontend, but | I see some inline javascript in the frontend. I understand this is not the final frontend, but I still want to raise this because it would be in the way of applying a proper CSP policy to this application. (Which means no inline script of style) | ||
=== Deployment === | === Deployment === | ||
This app is supposed to deal with a potentially large number of websocket connections. AFAIK we do not have a front-end proxy that can properly deal with this. Does that mean this app will be exposed directly to the public internet? If so, will the app have to implement specific things that we normally do in Zeus or HAProxy? | This app is supposed to deal with a potentially large number of websocket connections. AFAIK we do not have a front-end proxy that can properly deal with this. Does that mean this app will be exposed directly to the public internet? If so, will the app have to implement specific things that we normally do in Zeus or HAProxy? (Maybe i am wrong about this) | ||
The development deployment does not send out basic security headers. We would like the app to send out XFO, HSTS and CSP. | The development deployment does not send out basic security headers. We would like the app to send out XFO, HSTS and CSP. | ||
Ideally we do a Staging Deployment under HTTPS with all required security parameters enabled. Then we can a final assessment of things like HSTS, cookies, redirect to SSL. | Ideally we do a Staging Deployment under HTTPS with all required security parameters enabled. Then we can a final assessment of things like HSTS, cookies, redirect to SSL. | ||