MozillaWiki

User:Apking/Web Security Guidelines: Difference between revisions

User page Discussion

User:Apking/Web Security Guidelines (view source)

Revision as of 22:27, 18 February 2016

713 bytes added ,  18 February 2016
Tweak table a bunch, OpSec to Infosec
(move around the table, bunches of other small changes)
(Tweak table a bunch, OpSec to Infosec)
Line 38: Line 38:
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged.


The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the OpSec team, and broadcast to the various Operational teams.
The Enterprise Information Security (EIS) team maintains this document as a reference guide to navigate the rapidly changing landscape of web security. Changes are reviewed and merged by the Infosec team, and broadcast to the various Operational teams.


Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].
Updates to this page should be submitted to the [https://github.com/mozilla/wikimo_opsec source repository on github].
Line 52: Line 52:
|-
|-
! data-sort-type="number" | Guideline
! data-sort-type="number" | Guideline
! Impact
! data-sort-type="number" | Benefit
! Difficulty
! data-sort-type="number" | Difficulty
! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&dagger;</sup>
! data-sort-type="number" | Order<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&dagger;</sup>
! Requirements
! Requirements
Line 59: Line 59:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]]
| data-sort-value="1" | [[#HTTPS|<span style="color: black;">HTTPS</span>]]
| style="text-align: center;" | P1
| data-sort-value="4" style="text-align: center;" | Maximum
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" data-sort-value="0" |  
| style="text-align: center;" data-sort-value="0" |  
| Mandatory
| Mandatory
Line 66: Line 66:
|- style="background-color: #E99696;"
|- style="background-color: #E99696;"
| data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
| data-sort-value="2" style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
| style="text-align: center;" | P5
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | High
| data-sort-value="4" style="text-align: center;" | Maximum
| style="text-align: center;" data-sort-value="99" | --
| style="text-align: center;" data-sort-value="99" | --
| Mandatory for maximum risk sites only
| Mandatory for maximum risk sites only
Line 73: Line 73:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]]
| data-sort-value="3" style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]]
| style="text-align: center;" | P1
| data-sort-value="4" style="text-align: center;" | Maximum
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 3
| style="text-align: center;" | 3
| Mandatory
| Mandatory
Line 80: Line 80:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]]
| data-sort-value="4" style="padding-left: 1.5em;" | [[#Resource Loading|<span style="color: black;">Resource Loading</span>]]
| style="text-align: center;" | P1
| data-sort-value="4" style="text-align: center;" | Maximum
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 2
| style="text-align: center;" | 2
| Mandatory for all websites
| Mandatory for all websites
Line 87: Line 87:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]]
| data-sort-value="5" style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]]
| style="text-align: center;" | P1
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 4
| style="text-align: center;" | 4
| Mandatory for all websites
| Mandatory for all websites
Line 94: Line 94:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]]
| data-sort-value="6" style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]]
| style="text-align: center;" | P1
| data-sort-value="2" style="text-align: center;" | Medium
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 1
| style="text-align: center;" | 1
| Mandatory
| Mandatory
Line 101: Line 101:
|- style="background-color: #E8E27A;"
|- style="background-color: #E8E27A;"
| data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
| data-sort-value="7" | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
| style="text-align: center;" | P2
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | High
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | 10
| style="text-align: center;" | 10
| Mandatory for new websites<br>Recommended for existing websites
| Mandatory for new websites<br>Recommended for existing websites
Line 108: Line 108:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]]
| data-sort-value="8" | [[#Cookies|<span style="color: black;">Cookies</span>]]
| style="text-align: center;" | P3
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 7
| style="text-align: center;" | 7
| Mandatory for all new websites<br>Recommended for existing websites
| Mandatory for all new websites<br>Recommended for existing websites
Line 115: Line 115:
|- style="background-color: #D2D2D2;"
|- style="background-color: #D2D2D2;"
| data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]]
| data-sort-value="9" | [[#contribute.json|<span style="color: black;">contribute.json</span>]]
| style="text-align: center;" | P4
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 9
| style="text-align: center;" | 9
| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites
| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites
Line 122: Line 122:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
| data-sort-value="10" | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
| style="text-align: center;" | P3
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 11
| style="text-align: center;" | 11
| Mandatory
| Mandatory
Line 129: Line 129:
|- style="background-color: #D2D2D2;"
|- style="background-color: #D2D2D2;"
| data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]]
| data-sort-value="11" | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]]
| style="text-align: center;" | P2
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | Varies
| data-sort-value="99" style="text-align: center;" | Varies
| style="text-align: center;" | 6
| style="text-align: center;" | 6
| Varies
| Varies
Line 136: Line 136:
|- style="background-color: #D2D2D2;"
|- style="background-color: #D2D2D2;"
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| style="text-align: center;" | P5
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 13
| style="text-align: center;" | 13
| Optional
| Optional
Line 143: Line 143:
|- style="background-color: #E8E27A;"
|- style="background-color: #E8E27A;"
| data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
| data-sort-value="13" | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
| style="text-align: center;" | P5
| data-sort-value="2" style="text-align: center;" | Medium
| style="text-align: center;" | Moderate
| data-sort-value="2" style="text-align: center;" | Medium
| style="text-align: center;" | 14
| style="text-align: center;" | 14
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
Line 150: Line 150:
|- style="background-color: #E8E27A;"
|- style="background-color: #E8E27A;"
| data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| data-sort-value="14" | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| style="text-align: center;" | P3
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 8
| style="text-align: center;" | 8
| Recommended for all websites
| Recommended for all websites
Line 157: Line 157:
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]]
| data-sort-value="15" | [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]]
| style="text-align: center;" | P2
| data-sort-value="3" style="text-align: center;" | High
| style="text-align: center;" | Easy
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | 5
| style="text-align: center;" | 5
| Mandatory for all websites
| Mandatory for all websites
Line 164: Line 164:
|- style="background-color: #E8E27A;"
|- style="background-color: #E8E27A;"
| data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]]
| data-sort-value="16" | [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]]
| style="text-align: center;" | P4
| data-sort-value="1" style="text-align: center;" | Low
| style="text-align: center;" | Moderate
| data-sort-value="2" style="text-align: center;" | Medum
| style="text-align: center;" | 12
| style="text-align: center;" | 12
| Mandatory for all new websites<br>Recommended for existing websites
| Mandatory for all new websites<br>Recommended for existing websites
Line 224: Line 224:
* <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]
* <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]


<tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) or longer are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.
<tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.


<tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled.
<tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled.
Apking
Anti-spam team, Confirmed users
99

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1117734"