Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Checklist #1

Open
32 tasks
jvehent opened this issue Aug 23, 2016 · 1 comment
Open
32 tasks

Security Checklist #1

jvehent opened this issue Aug 23, 2016 · 1 comment

Comments

@jvehent
Copy link
Owner

jvehent commented Aug 23, 2016

Security Checklist

All services integrated with Firefox or that provide services to Firefox users must follow the security rules listed below.

You can copy and paste the checklist below into a GitHub issue.

Infrastructure rules

  • Use Modern TLS (INFRA-TLS)
  • Set HSTS to 31536000 (one year) (INFRA-HSTS)
  • Set HPKP to 2592000 (30 days) (INFRA-HPKP)
  • If service has an admin panels, it must:
    • only be available behind Mozilla VPN (which provides MFA) (INFRA-ADMINVPN)
    • require LDAP authentication (INFRA-ADMINLDAP)
    • enforce a two-man rule on sensitive changes (INFRA-2MANRULE)

Coding rules

The following rules apply to all web applications: api and websites.

  • Detailed logging in mozlog format (APP-MOZLOG)
    • Business logic must be logged with app specific codes (errno)
    • Access control failures must be logged at WARN level
  • All SQL queries must be parameterized, not concatenated (APP-SQL)
  • User data must be escaped for the right context prior to reflecting it (APP-ESCAPE)
  • Apply sensible limits to user inputs, see input validation (APP-INPUTVAL)
  • Enforce Access Controls server-side (APP-ACL)
  • Set the Secure flag on Cookies, and use sensible Expiration and HTTPOnly (APP-SECCOOKIE)
  • Keep 3rd-party libraries up to date (APP-DEPS)
  • If handling cryptographic keys, must have a mechanism to handle monthly key rotations (APP-KEYROT)
    • All keys must be rotated quarterly.
    • Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.

Additional websites requirements

The following coding rules only apply to websites, not web apis.

  • Never store passwords, use Firefox Accounts (APP-IDP)
  • Forbid Mixed content, always use HTTPS (APP-MIXCONTENT)
  • Must have a CSP with (APP-CSP)
    • a report-uri pointing to the service /cspreport
    • frame-options set to deny
    • no use of unsafe-inline or unsafe-eval
  • Must have CSRF tokens and manually excluded specific forms (APP-CSRF)
  • Should consider having checksums for 3rd-party content via SRI (APP-SRI).
    • Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
  • Consider Security headers as appropriate (APP-HEADERS)
    • X-Content-Type-Options
    • X-Frame-Options
    • X-XSS-Protection

Data rules

  • When storing sensitive user data (like browsing history) on Mozilla servers:
    • Anonymize it (similar to Tiles) (DATA-ANON)
    • Encrypt it client-side (similar to Sync) (DATA-CRYPT)
    • If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
  • If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (DATA-SIGN)
    • Addons must use standard AMO signing (APP-SIGNING)
    • Code & Conf must use Content-Signature via
      Autograph (DATA-SIGNING)
@psiinon
Copy link

psiinon commented Aug 25, 2016

Include Strict-Transport-Security as recommended header?
Start also recommending samesite cookie flag?
The checklist in general is good though :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants