WebAppSec/Secure Coding Details
Michael Coates - mcoates [at] mozilla.com
This document provides code examples and links to support the secure coding guidelines document.
The layout of this document will exactly follow the layout of the secure coding guidelines with the exception that this document will have a final category in each section that is language/framework specific (e.g. php, django etc). If adding a new item to this document ensure the necessary structure is in place.
Secure Coding Details
Django provides built in support for setting the SECURE flag for the session id cookie. By default Django does NOT set the flag to secure
SESSION_COOKIE_SECURE = TRUE
Cross Domain / Unintended User Actions
Preventing Malicious Site Framing (ClickJacking)
Pull in the Mozilla commonware library and add it to your middleware (example )
Admin Login Pages
Force Login and Admin Pages to be SSL
Add define('FORCE_SSL_ADMIN', true); to the wp.config file.
Force Admin Requests on HTTP to Rewrite as HTTPS