Security/FirefoxOperations: Difference between revisions

Security/FirefoxOperations (view source)

Revision as of 18:21, 13 February 2017

498 bytes added , 13 February 2017

no edit summary

Ulfr

Confirmed users

529

edits

@@ Line 135: / Line 135: @@
 --------------------
-* [ ] Use [Intermediate TLS](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility) (**INFRA-TLS**)
+* [ ] Access and application logs must be archived for a minimum of 90 days
+* [ ] Use [Modern](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) or [Intermediate](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility) TLS (**INFRA-TLS**)
 * [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**)
+  * `strict-transport-security: max-age=31536000`
 * [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**)
    * `Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";`
@@ Line 152: / Line 154: @@
 The following rules apply to all web applications: api and websites.
-* [ ] Sign all release tags, and maybe commits (**APP-COMMITSIG**)
+* [ ] Sign all release tags, and maybe commits as well (**APP-COMMITSIG**)
    * Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com
    * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
-* [ ] Detailed logging in mozlog format (**APP-MOZLOG**)
+* [ ] Publish detailed logs in [mozlog](https://github.com/mozilla-services/Dockerflow/blob/master/docs/mozlog.md) format (**APP-MOZLOG**)
    * Business logic must be logged with app specific codes (errno)
    * Access control failures must be logged at WARN level
@@ Line 164: / Line 166: @@
    * [ ] no use of unsafe-inline or unsafe-eval
 * [ ] User data must be escaped for the right context prior to reflecting it (**APP-ESCAPE**)
-* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s
+* [ ] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s (**APP-NOHTML**)
 * [ ] All SQL queries must be parameterized, not concatenated (**APP-SQL**)
 * [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) (**APP-INPUTVAL**)
-* [ ] Enforce Access Controls server-side (**APP-ACL**)
+* [ ] When managing permissions, make sure access controls are enforced server-side (**APP-ACL**)
-* [ ] Set the Secure flag on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration and HTTPOnly (**APP-SECCOOKIE**)
+* [ ] Set the Secure and HTTPOnly flags on [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies), and use sensible Expiration (**APP-SECCOOKIE**)
 * Keep 3rd-party libraries up to date (**APP-DEPS**)
    * [ ]  Use [NSP](https://nodesecurity.io/) or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
@@ Line 190: / Line 192: @@
    * [ ] X-XSS-Protection
 * [ ] Host user uploaded content on a separate domain (e.g. FxA avatar images on firefoxcontent.com, bug attachments on bug<bug ID>.bmoattachments.org)
+* [ ] Forbid the use of third party resources (GA, optimizely, ...) on sites that have privileges permissions in Firefox (AMO, testpilot)
 Data rules