MozillaWiki

User:Apking/Web Security Guidelines: Difference between revisions

User page Discussion

User:Apking/Web Security Guidelines (view source)

Revision as of 20:34, 17 February 2016

1,656 bytes added ,  17 February 2016
move around the table, bunches of other small changes
(A bunch of minor fixes with kang's feedback)
(move around the table, bunches of other small changes)
Line 1: Line 1:
__NOTOC__
<div style="max-width: 75em;">
<div style="max-width: 75em;">
<table>
  <table>
  <tr>
    <tr>
    <td class="toclimit-1" style="white-space: nowrap;">__TOC__</td>
      <td style="white-space: nowrap;">
    <td style="vertical-align: top; padding-left: 1em;">The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below.
        <!-- Roll our own TOC, since the wiki has very old styles -->
        <div id="toc" class="toc">
          <div id="toctitle">
            <h2>Contents</h2>
          </div>
          <ul style="padding-right: 1em;">
            <li>[[#Web Security Cheat Sheet|1 Cheat Sheet]]
            <li>[[#Transport Layer Security|2 Transport Layer Security]]
            <li>
              <ul>
                <li>[[#HTTPS|2.1 HTTPS]]</li>
                <li>[[#HTTP Strict Transport Security|2.2 HTTP Strict Transport Security]]</li>
                <li>[[#HTTP Redirections|2.3 HTTP Redirections]]</li>
                <li>[[#HTTP Public Key Pinning|2.4 HTTP Public Key Pinning]]</li>
                <li>[[#Resource Loading|2.5 Resource Loading]]</li>
              </ul>
            </li>
            <li>[[#Content Security Policy|3 Content Security Policy]]</li>
            <li>[[#contribute.json|4 contribute.json]]</li>
            <li>[[#Cookies|5 Cookies]]</li>
            <li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li>
            <li>[[#CSRF Prevention|7 CSRF Prevention]]</li>
            <li>[[#robots.txt|8 robots.txt]]</li>
            <li>[[#Subresource Integrity|9 Subresource Integrity]]</li>
            <li>[[#X-Content-Type-Options|10 X-Content-Type-Options]]</li>
            <li>[[#X-Frame-Options|11 X-Frame-Options]]</li>
            <li>[[#X-XSS-Protection|12 X-XSS-Protection]]</li>
            <li>[[#Version History|13 Version History]]</li>
          </ul>
        </div>
      </td>
      <td style="vertical-align: top; padding: 1.5em 1em 0 1.5em;">
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.


The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the OpSec team, and broadcast to the various Operational teams.
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the OpSec team, and broadcast to the various Operational teams.


Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].
    </td>
      </td>
  </tr>
    </tr>
</table>
  </table>
</div>
 
 
= Web Security Cheat Sheet =
 
{| class="wikitable sortable" style="width: 100%;"
|-
! data-sort-type="number" | Guideline
! Impact
! Difficulty
! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&dagger;</sup>
! Requirements
! Notes
|- style="background-color: #9EDB58;"
| data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" data-sort-value="0" |
| Mandatory
| Sites should use HTTPS (or other secure protocols) for all communications
|- style="background-color: #E99696;"
| data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | High
| style="text-align: center;" data-sort-value="99" | --
| Mandatory for maximum risk sites only
| Not recommended for most sites
|- style="background-color: #9EDB58;"
| data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 3
| Mandatory
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
|- style="background-color: #9EDB58;"
| data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 2
| Mandatory for all websites
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS
|- style="background-color: #9EDB58;"
| data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 4
| Mandatory for all websites
| Minimum allowed time period of six months
|- style="background-color: #9EDB58;"
| data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 1
| Mandatory
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]
|- style="background-color: #E8E27A;"
| data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | High
| style="text-align: center;" | 10
| Mandatory for new websites<br>Recommended for existing websites
| Disabling inline script is the greatest concern for CSP implementation
|- style="background-color: #9EDB58;"
| data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | 7
| Mandatory for all new websites<br>Recommended for existing websites
| All cookies must be set with the Secure flag, and set as restrictively as possible
|- style="background-color: #D2D2D2;"
| data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]]
| style="text-align: center;" | P4
| style="text-align: center;" | Easy
| style="text-align: center;" | 9
| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites
| Mozilla sites should serve contribute.json and keep contact information up-to-date
|- style="background-color: #9EDB58;"
| data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | 11
| Mandatory
| Origin sharing headers and files should not be present, except for specific use cases
|- style="background-color: #D2D2D2;"
| data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | Varies
| style="text-align: center;" | 6
| Varies
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
|- style="background-color: #D2D2D2;"
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | Easy
| style="text-align: center;" | 13
| Optional
| Websites that implement robots.txt must use it only for noted purposes
|- style="background-color: #E8E27A;"
| data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | Moderate
| style="text-align: center;" | 14
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup> Only for websites that load JavaScript or stylesheets from foreign origins
|- style="background-color: #E8E27A;"
| data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | 8
| Recommended for all websites
| Websites should verify that they are setting the proper MIME types for all resources
|- style="background-color: #9EDB58;"
| data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | Easy
| style="text-align: center;" | 5
| Mandatory for all websites
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
|- style="background-color: #E8E27A;"
| data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]]
| style="text-align: center;" | P4
| style="text-align: center;" | Moderate
| style="text-align: center;" | 12
| Mandatory for all new websites<br>Recommended for existing websites
| Manual testing should be done for existing websites, prior to implementation
|}
 
<div style="margin-left: 1.5em;"><sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&dagger;</sup> Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.</div>
 


<div style="max-width: 75em;">
= Transport Layer Security =
= Transport Layer Security =


Line 484: Line 648:
| Initial document creation
| Initial document creation
|}
|}
= Web Security Cheat Sheet =
{| class="wikitable sortable" style="width: 100%;"
|-
! data-sort-type="number" | Guideline
! Impact
! Difficulty
! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&dagger;</sup>
! Requirements
! Notes
|- style="background-color: #9EDB58;"
| data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" data-sort-value="0" |
| Mandatory
| Sites should use HTTPS (or other secure protocols) for all communications
|- style="background-color: #E99696;"
| data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | High
| style="text-align: center;" data-sort-value="99" | --
| Mandatory for maximum risk sites only
| Not recommended for most sites
|- style="background-color: #9EDB58;"
| data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 3
| Mandatory
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
|- style="background-color: #9EDB58;"
| data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 2
| Mandatory for all websites
| Both passive and active resources should be loaded through protocols using TLS, such as HTTPS
|- style="background-color: #9EDB58;"
| data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 4
| Mandatory for all websites
| Minimum allowed time period of six months
|- style="background-color: #9EDB58;"
| data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| style="text-align: center;" | 1
| Mandatory
| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]
|- style="background-color: #E8E27A;"
| data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | High
| style="text-align: center;" | 10
| Mandatory for new websites<br>Recommended for existing websites
| Disabling inline script is the greatest concern for CSP implementation
|- style="background-color: #9EDB58;"
| data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | 7
| Mandatory for all new websites<br>Recommended for existing websites
| All cookies must be set with the Secure flag, and set as restrictively as possible
|- style="background-color: #D2D2D2;"
| data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]]
| style="text-align: center;" | P4
| style="text-align: center;" | Easy
| style="text-align: center;" | 9
| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites
| Mozilla sites should serve contribute.json and keep contact information up-to-date
|- style="background-color: #9EDB58;"
| data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | 11
| Mandatory
| Origin sharing headers and files should not be present, except for specific use cases
|- style="background-color: #D2D2D2;"
| data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | Varies
| style="text-align: center;" | 6
| Varies
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
|- style="background-color: #D2D2D2;"
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | Easy
| style="text-align: center;" | 13
| Optional
| Websites that implement robots.txt must use it only for noted purposes
|- style="background-color: #E8E27A;"
| data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | Moderate
| style="text-align: center;" | 14
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup> Only for websites that load JavaScript or stylesheets from foreign origins
|- style="background-color: #E8E27A;"
| data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| style="text-align: center;" | 8
| Recommended for all websites
| Websites should verify that they are setting the proper MIME types for all resources
|- style="background-color: #9EDB58;"
| data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | Easy
| style="text-align: center;" | 5
| Mandatory for all websites
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
|- style="background-color: #E8E27A;"
| data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]]
| style="text-align: center;" | P4
| style="text-align: center;" | Moderate
| style="text-align: center;" | 12
| Mandatory for all new websites<br>Recommended for existing websites
| Manual testing should be done for existing websites, prior to implementation
|}
<div style="margin-left: 1.5em;"><sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&dagger;</sup> Suggested order that administrators implement the web security guidelines. It is based on a combination of the security impact and the ease of implementation from an operational and developmental perspective.</div>
Apking
Anti-spam team, Confirmed users
99

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1117527"