MozillaWiki

User:Apking/Web Security Guidelines: Difference between revisions

User page Discussion

User:Apking/Web Security Guidelines (view source)

Revision as of 20:30, 14 January 2016

791 bytes added ,  14 January 2016
add order column
(minor tweaks)
(add order column)
Line 466: Line 466:
|-
|-
! Guideline
! Guideline
! Priority
! Impact
! Difficulty
! Difficulty
! data-sort-type="number" | Order†
! Requirements
! Requirements
! Notes
! Notes
Line 474: Line 475:
| style="text-align: center;" | P1
| style="text-align: center;" | P1
| style="text-align: center;" | Medium
| style="text-align: center;" | Medium
| style="text-align: center;" | 1
| Mandatory
| Mandatory
| Use the most secure TLS configuration for your user base
| Use the most secure TLS configuration for your user base
Line 480: Line 482:
| style="text-align: center;" | P5
| style="text-align: center;" | P5
| style="text-align: center;" | High
| style="text-align: center;" | High
| style="text-align: center;" | --
| Mandatory for maximum risk sites only
| Mandatory for maximum risk sites only
| Not recommended for most sites
| Not recommended for most sites
Line 486: Line 489:
| style="text-align: center;" | P1
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 2
| Mandatory
| Mandatory
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
Line 492: Line 496:
| style="text-align: center;" | P1
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 3
| Mandatory for all websites
| Mandatory for all websites
| Minimum allowed time period of six months
| Minimum allowed time period of six months
Line 498: Line 503:
| style="text-align: center;" | P2
| style="text-align: center;" | P2
| style="text-align: center;" | High
| style="text-align: center;" | High
| style="text-align: center;" | 8
| Mandatory for new websites<br>Recommended for existing websites
| Mandatory for new websites<br>Recommended for existing websites
| Disabling inline script is the greatest concern for CSP implementation
| Disabling inline script is the greatest concern for CSP implementation
Line 504: Line 510:
| style="text-align: center;" | P3
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 6
| Mandatory for all new websites<br>Recommended for existing websites
| Mandatory for all new websites<br>Recommended for existing websites
| All cookies must be set with the Secure flag, and set as restrictively as possible
| All cookies must be set with the Secure flag, and set as restrictively as possible
Line 510: Line 517:
| style="text-align: center;" | P4
| style="text-align: center;" | P4
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 7
| Mandatory for all new websites<br>Recommended for existing sites
| Mandatory for all new websites<br>Recommended for existing sites
| Websites should serve contribute.json and keep contact information up-to-date
| Websites should serve contribute.json and keep contact information up-to-date
Line 516: Line 524:
| style="text-align: center;" | P3
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 9
| Mandatory
| Mandatory
| Origin sharing headers and files should not be present, except for specific use cases
| Origin sharing headers and files should not be present, except for specific use cases
Line 522: Line 531:
| style="text-align: center;" | P2
| style="text-align: center;" | P2
| style="text-align: center;" | Varies
| style="text-align: center;" | Varies
| style="text-align: center;" | 4
| Varies
| Varies
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
Line 528: Line 538:
| style="text-align: center;" | P5
| style="text-align: center;" | P5
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 11
| Optional
| Optional
| Websites that implement robots.txt must use it only for noted purposes
| Websites that implement robots.txt must use it only for noted purposes
Line 534: Line 545:
| style="text-align: center;" | P5
| style="text-align: center;" | P5
| style="text-align: center;" | Moderate
| style="text-align: center;" | Moderate
| Recommended&dagger;
| style="text-align: center;" | 12
| &dagger; Only for websites that load JavaScript or stylesheets from non-Mozilla sources
| Recommended&ddagger;
| &ddagger; Only for websites that load JavaScript or stylesheets from non-Mozilla sources
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 6
| Recommended for all websites
| Recommended for all websites
| Websites should verify that they are setting the proper MIME types for all resources
| Websites should verify that they are setting the proper MIME types for all resources
Line 546: Line 559:
| style="text-align: center;" | P2
| style="text-align: center;" | P2
| style="text-align: center;" | Easy
| style="text-align: center;" | Easy
| style="text-align: center;" | 5
| Mandatory for all websites
| Mandatory for all websites
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
Line 552: Line 566:
| style="text-align: center;" | P3
| style="text-align: center;" | P3
| style="text-align: center;" | Moderate
| style="text-align: center;" | Moderate
| style="text-align: center;" | 10
| Mandatory for all new websites<br>Recommended for existing websites
| Mandatory for all new websites<br>Recommended for existing websites
| Manual testing should be done for existing websites, prior to implementation
| Manual testing should be done for existing websites, prior to implementation
|}
|}
<div style="margin-left: 1.5em;">&dagger; Order is the suggested order that sites implement the listed web security guidelines. It is based on a combination of its security impact and the ease of implementation from an operational and developmental perspective.</div>
Apking
Anti-spam team, Confirmed users
99

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1112798"