Confirmed users
529
edits
Security/FirefoxOperations: Difference between revisions
Security/FirefoxOperations (view source)
Revision as of 11:52, 29 September 2016
, 29 September 2016no edit summary
No edit summary |
No edit summary |
||
| Line 129: | Line 129: | ||
<source lang:markdown> | <source lang:markdown> | ||
Risk Management | |||
--------------- | |||
* [ ] The service must have performed a Rapid Risk Assessment and have a Risk Record bug (**SVC-RRA**). | * [ ] The service must have performed a Rapid Risk Assessment and have a Risk Record bug (**SVC-RRA**). | ||
| Line 137: | Line 139: | ||
* [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**) | * [ ] Set HSTS to 31536000 (1 year) (**INFRA-HSTS**) | ||
* [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**) | * [ ] Set HPKP to 5184000 (60 days) (**INFRA-HPKP**) | ||
* `Public-Key-Pins: max-age=300; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; | * `Public-Key-Pins: max-age=300; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; | ||
* Start with max-age set to 5 minutes and increase gradually | * Start with max-age set to 5 minutes and increase gradually | ||
* Pin to the EV and DV roots of Digicert | * Pin to the EV and DV roots of Digicert | ||
* [ ] If the service is not hosted under `services.mozilla.com`, it must be manually added to [Firefox's preloaded pins](https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#184). | |||
* If service has an admin panels, it must: | * If service has an admin panels, it must: | ||
* [ ] only be available behind Mozilla VPN (which provides MFA) (**INFRA-ADMINVPN**) | * [ ] only be available behind Mozilla VPN (which provides MFA) (**INFRA-ADMINVPN**) | ||