Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
Security/FirefoxOperations (view source)
Revision as of 16:16, 12 September 2017
, 12 September 2017→Security Checklist
| Line 130: | Line 130: | ||
* Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc. | * Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc. | ||
* [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests | * [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests | ||
Security Features | |||
----------------- | |||
* [ ] Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team. | |||
* [ ] Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review | |||
* Store session keys server side (typically in a db) so that they can be revoked immediately. | |||
* Session keys must be changed on login to prevent session fixation attacks. | |||
* Session cookies must have HttpOnly and Secure flags set. | |||
* For more information about potential pitfalls see the [OWASP Session Management Cheet Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet) | |||
* [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review. | |||
Databases | Databases | ||