Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
no edit summary
(Rename to FoxSec) |
No edit summary |
||
| Line 153: | Line 153: | ||
The following rules apply to all web applications: api and websites. | The following rules apply to all web applications: api and websites. | ||
* [ ] Sign all commits (**APP-COMMITSIG**) | * [ ] Sign all release tags, and maybe commits (**APP-COMMITSIG**) | ||
* Developers should [configure git to sign all | * Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com | ||
* The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. | |||
* [ ] Detailed logging in mozlog format (**APP-MOZLOG**) | * [ ] Detailed logging in mozlog format (**APP-MOZLOG**) | ||
* Business logic must be logged with app specific codes (errno) | * Business logic must be logged with app specific codes (errno) | ||
* Access control failures must be logged at WARN level | * Access control failures must be logged at WARN level | ||
* [ ] Must have a CSP with (**APP-CSP**) | |||
* [ ] a report-uri pointing to the service's own `/__cspreport__` endpoint | |||
* [ ] web APIs should set `default-src` to `none`, disallowing all content rendering | |||
* [ ] if default-src is not `self`, frame-src should be `none` or only allow specific origins | |||
* [ ] no use of unsafe-inline or unsafe-eval | |||
* [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**) | |||
* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s | |||
* [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**) | * [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**) | ||
* [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**) | * [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**) | ||
* [ ] Enforce Access Controls server-side (**APP-ACL**) | * [ ] Enforce Access Controls server-side (**APP-ACL**) | ||
| Line 178: | Line 183: | ||
* [ ] Never store passwords, use Firefox Accounts (**APP-IDP**) | * [ ] Never store passwords, use Firefox Accounts (**APP-IDP**) | ||
* [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**) | * [ ] Forbid Mixed content, always use HTTPS (**APP-MIXCONTENT**) | ||
* [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**) | * [ ] Must have CSRF tokens and manually excluded specific forms (**APP-CSRF**) | ||
* [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**). | * [ ] Should consider having checksums for 3rd-party content via SRI (**APP-SRI**). | ||
* Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not). | * Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not). | ||
* | * Set the following security headers (**APP-HEADERS**) | ||
* [ ] X-Content-Type-Options | * [ ] X-Content-Type-Options | ||
* [ ] X-Frame-Options | * [ ] X-Frame-Options | ||