You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 6, 2022. It is now read-only.
The service must be registered via a New Service issue. You need to have access to the mozilla-services GitHub organization to be able to view and create this issue (ping secops if you don't have access).
If the service is not hosted under services.mozilla.com, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.
Correctly set client IP
Confirm client ip is in the proper location in X-Forwarded-For, modifying what is sent from the client if needed. AWS and GCP's load balancers will do this automatically.
Make sure the web server and the application get the true client IP by configuring trusted IP's within Nginx or Apache
[ ] If you have a service-oriented architecture, you must always be able to find the IP of the client that sent the initial request. We recommend passing along the X-Forwarded-For to all back-end services. - N/A, application is a static site that does not use client IP
If service has an admin panels, it must: (Note, the service is an admin panel)
only be available behind Mozilla VPN (which provides MFA)
The site and UI are available without VPN, but no editing can be done (editing servers are behind VPN)
require Auth0 authentication
Anonymous access is read only, editing requires Auth0 login
[ ] Build and deploy main or -slim variants of official language-specific base docker images e.g. node, python, or rust and contact secops@ if you want to use other variants - N/A no Docker images used.
Development
Ensure your code repository is configured and located appropriately:
Application built internally should be hosted in trusted GitHub organizations (mozilla, mozilla-services, mozilla-bteam, mozilla-conduit, mozilla-mobile, taskcluster). Sometimes we build and deploy applications we don't fully control. In those cases, the Dockerfile that builds the application container should be hosted in its own repository in a trusted organization.
The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
Use whitelisting mechanisms in these tools to deal with false positives
Dual Sign Off
Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panels
This mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in production
Logging
[ ] Publish detailed logs in mozlog format (APP-MOZLOG) N/A no logs are generated
Business logic must be logged with app specific codes (see FxA)
Access control failures must be logged at WARN level
Web Applications
Must have a CSP with
a report-uri pointing to the service's own /__cspreport__ endpoint
web API responses should return default-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__ to disallowing all content rendering, framing, and report violations
if default-src is not none, frame-src, and object-src should be none or only allow specific origins
no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src
[ ] Third-party javascript must be pinned to specific versions using Subresource Integrity (SRI) No third-party JS is included at runtime, only at built time where it is protected by Yarn hashes.
[ ] Web APIs: No APIs exposed
[ ] must set a non-HTML content-type on all responses, including 300s, 400s and 500s
[ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests
[ ] Should use authentication tokens with a unique pattern which is easily parsed with a regexp. This should allow inclusion into a token scanning service in the future. (E.g. prefix mgp- + 20 hex digits would match the regexp \bmgp-[0-9A-Fa-f]{20}\b)
Filter for your service name and check that the "failures" column is 0. Click on each individual site for additional information about any failures.
If you need to document exceptions to the baseline e.g. to mark a search form as CSRF exempt, contact secops@ or ping 'psiinon' on github to get the scan config updated
Security Features
Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.
Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review
Store session keys server side (typically in a db) so that they can be revoked immediately.
Session keys must be changed on login to prevent session fixation attacks.
Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).
[ ] When using cookies for session management, make sure you have CSRF protections in place, which in 99% of cases is SameSite cookies. If you can't use SameSite, use anti CSRF tokens. There are two exceptions to implementing CSRF protection: Cookies aren't used for session management
Forms that don't change state (e.g. search forms) don't need CSRF protection and can indicate that by setting the 'data-no-csrf' form attribute (this tells our ZAP scanner to ignore those forms when testing for CSRF).
Sites that don't use cookies for anything sensitive can ignore CSRF protection. A lot of modern sites prefer to use local-storage JWTs for session management, which aren't vulnerable to CSRF (but must have a rock solid CSP).
Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.
If you are building a core Firefox service, consider adding it to the list of restricted domains in the preference extensions.webextensions.restrictedDomains. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.
Databases No databases are used
[ ] All SQL queries must be parameterized, not concatenated
[ ] Applications must use accounts with limited GRANTS when connecting to databases
In particular, applications must not use admin or owner accounts, to decrease the impact of a sql injection vulnerability.
POST body size should be small (<500kB) unless explicitly needed
When allowing users to upload or generate content, make sure to host that content on a separate domain (eg. firefoxusercontent.com, etc.). This will prevent malicious content from having access to storage and cookies from the origin.
Also use this technique to host rich content you can't protect with a CSP, such as metrics reports, wiki pages, etc.
When managing permissions, make sure access controls are enforced server-side
If an authenticated user accesses protected resource, make sure the pages with those resource arent cached and served up to unauthenticated users (like via a CDN).
[ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations No cryptographic keys
Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
Do not proxy requests from users without strong limitations and filtering (see Pocket UserData vulnerability). Don't proxy requests to link local, loopback, or private networks or DNS that resolves to addresses in those ranges (i.e. 169.254.0.0/16, 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, 198.18.0.0/15).
Do not use target="_blank" in external links unless you also use rel="noopener noreferrer" (to prevent Reverse Tabnabbing)
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
as a follow-up of the RRA of Normandy Devtools, here is our security web checklist. All recommendations may not apply to your service.
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.[ ] If you have a service-oriented architecture, you must always be able to find the IP of the client that sent the initial request. We recommend passing along the- N/A, application is a static site that does not use client IPX-Forwarded-For
to all back-end services.[ ] Build and deploy main or -slim variants of official language-specific base docker images e.g. node, python, or rust and contact secops@ if you want to use other variants- N/A no Docker images used.Development
pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
[ ] Publish detailed logs in mozlog format (APP-MOZLOG)N/A no logs are generatedWeb Applications
/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should benone
or only allow specific origins[ ] Third-party javascript must be pinned to specific versions using Subresource Integrity (SRI)No third-party JS is included at runtime, only at built time where it is protected by Yarn hashes.[ ] Web APIs:No APIs exposed[ ] must set a non-HTML content-type on all responses, including 300s, 400s and 500s[ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests[ ] Should use authentication tokens with a unique pattern which is easily parsed with a regexp. This should allow inclusion into a token scanning service in the future. (E.g. prefixmgp-
+ 20 hex digits would match the regexp\bmgp-[0-9A-Fa-f]{20}\b
)[ ] for Cookiescookies are not used__Host-
for the cookie nameSecurity Features
[ ] When using cookies for session management, make sure you have CSRF protections in place, which in 99% of cases is SameSite cookies. If you can't use SameSite, use anti CSRF tokens. There are two exceptions to implementing CSRF protection:Cookies aren't used for session managementextensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.DatabasesNo databases are used[ ] All SQL queries must be parameterized, not concatenated[ ] Applications must use accounts with limited GRANTS when connecting to databasesCommon issues
[ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotationsNo cryptographic keystarget="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)The text was updated successfully, but these errors were encountered: