This repository was archived by the owner on Jan 29, 2025. It is now read-only.
This repository was archived by the owner on Jan 29, 2025. It is now read-only.
[tracker] Security checklist #286
Description
Risk Management
- The service must have performed a Rapid Risk Assessment and have a Risk Record bug (SVC-RRA).
Infrastructure rules
- Use Intermediate TLS (INFRA-TLS)
- Set HSTS to 31536000 (1 year) (INFRA-HSTS)
- Set HPKP to 5184000 (60 days) (INFRA-HPKP)
Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";- Start with max-age set to 5 minutes and increase gradually
- Pin to the EV and DV roots of Digicert
- If the service is not hosted under
services.mozilla.com, it must be manually added to Firefox's preloaded pins.
- If service has an admin panels, it must:
- only be available behind Mozilla VPN (which provides MFA) (INFRA-ADMINVPN)
- require LDAP authentication (INFRA-ADMINLDAP)
- enforce a two-man rule on sensitive changes (INFRA-2MANRULE)
Coding rules
The following rules apply to all web applications: api and websites.
- Sign all commits (APP-COMMITSIG)
- Developers should configure git to sign all commits and upload their PGP fingerprint to https://login.mozilla.com
- Detailed logging in mozlog format (APP-MOZLOG)
- Business logic must be logged with app specific codes (errno)
- Access control failures must be logged at WARN level
- All SQL queries must be parameterized, not concatenated (APP-SQL)
- User data must be escaped for the right context prior to reflecting it (APP-ESCAPE)
- Apply sensible limits to user inputs, see input validation (APP-INPUTVAL)
- Enforce Access Controls server-side (APP-ACL)
- Set the Secure flag on Cookies, and use sensible Expiration and HTTPOnly (APP-SECCOOKIE)
- Keep 3rd-party libraries up to date (APP-DEPS)
- Use NSP or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
- Use pip --outdated or requires.io for Python applications
- If handling cryptographic keys, must have a mechanism to handle monthly key rotations (APP-KEYROT)
- All keys must be rotated quarterly.
- Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.
Additional websites requirements
The following coding rules only apply to websites, not web apis.
- Never store passwords, use Firefox Accounts (APP-IDP)
- Forbid Mixed content, always use HTTPS (APP-MIXCONTENT)
- Must have a CSP with (APP-CSP)
- a report-uri pointing to the service's own
/__cspreport__endpoint - if default-src is not
self, child-src should benoneor only allow specific origins - no use of unsafe-inline or unsafe-eval
- a report-uri pointing to the service's own
- Must have CSRF tokens and manually excluded specific forms (APP-CSRF)
- Should consider having checksums for 3rd-party content via SRI (APP-SRI).
- Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
- Consider Security headers as appropriate (APP-HEADERS)
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection
Data rules
- When storing sensitive user data (like browsing history) on Mozilla servers:
- Anonymize it (similar to Tiles) (DATA-ANON)
- Encrypt it client-side (similar to Sync) (DATA-CRYPT)
- If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
- If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (DATA-SIGN)
- Addons must use standard AMO signing (APP-SIGNING)
- Code & Conf must use Content-Signature via Autograph (DATA-SIGNING)
Metadata
Metadata
Assignees
Labels
No labels