You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use pip --outdated or requires.io for Python applications
If handling cryptographic keys, must have a mechanism to handle monthly key rotations (APP-KEYROT)
All keys must be rotated quarterly.
Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.
Additional websites requirements
The following coding rules only apply to websites, not web apis.
Never store passwords, use Firefox Accounts (APP-IDP)
Forbid Mixed content, always use HTTPS (APP-MIXCONTENT)
Must have a CSP with (APP-CSP)
a report-uri pointing to the service /cspreport
frame-options set to deny
no use of unsafe-inline or unsafe-eval
Must have CSRF tokens and manually excluded specific forms (APP-CSRF)
Should consider having checksums for 3rd-party content via SRI (APP-SRI).
Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
Consider Security headers as appropriate (APP-HEADERS)
X-Content-Type-Options
X-Frame-Options
X-XSS-Protection
Data rules
When storing sensitive user data (like browsing history) on Mozilla servers:
Anonymize it (similar to Tiles) (DATA-ANON)
Encrypt it client-side (similar to Sync) (DATA-CRYPT)
If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (DATA-SIGN)
Addons must use standard AMO signing (APP-SIGNING)
Code & Conf must use Content-Signature via Autograph (DATA-SIGNING)
The text was updated successfully, but these errors were encountered:
Security Checklist
All services integrated with Firefox or that provide services to Firefox users must follow the security rules listed below.
You can copy and paste the checklist below into a GitHub issue.
Infrastructure rules
Coding rules
The following rules apply to all web applications: api and websites.
Additional websites requirements
The following coding rules only apply to websites, not web apis.
Data rules
Autograph (DATA-SIGNING)
The text was updated successfully, but these errors were encountered: