User:Apking/Web Security Guidelines: Difference between revisions

User:Apking/Web Security Guidelines (view source)

Revision as of 16:58, 12 February 2016

1,043 bytes added , 12 February 2016

Updates to contribute.json and the chart at the bottom

Apking

Anti-spam team, Confirmed users

99

edits

@@ Line 203: / Line 203: @@
 Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, <tt>contribute.json</tt> is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.
+Require subkeys include <tt>name</tt>, <tt>description</tt>, <tt>bugs</tt>, <tt>participate</tt> (particularly <tt>irc</tt> and <tt>irc-clients</tt>), and <tt>urls</tt>.
 == Examples ==
-<pre>{
+<p style="border: 1px solid #ddd; background-color: #f9f9f9; font-family: monospace, Courier; line-height: 1.3em; padding: 1em; white-space: pre;">{
-     "name": "Bedrock",
+     "<b>name</b>": "Bedrock",
-     "description": "The app powering www.mozilla.org.",
+     "<b>description</b>": "The app powering www.mozilla.org.",
      "repository": {
-         "url": "https://github.com/mozilla/bedrock",
+         "url": <nowiki>"https://github.com/mozilla/bedrock"</nowiki>,
          "license": "MPL2",
-         "tests": "https://travis-ci.org/mozilla/bedrock/"
+         "tests": <nowiki>"https://travis-ci.org/mozilla/bedrock/"</nowiki>
      },
-     "participate": {
+     "<b>participate</b>": {
-         "home": "https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org",
+         "home": <nowiki>"https://wiki.mozilla.org/Webdev/GetInvolved/mozilla.org"</nowiki>,
-         "docs": "http://bedrock.readthedocs.org/",
+         "docs": <nowiki>"http://bedrock.readthedocs.org/"</nowiki>,
-         "mailing-list": "https://www.mozilla.org/about/forums/#dev-mozilla-org",
+         "mailing-list": <nowiki>"https://www.mozilla.org/about/forums/#dev-mozilla-org"</nowiki>,
-         "irc": "irc://irc.mozilla.org/#www",
+         "<b>irc</b>": <nowiki>"irc://irc.mozilla.org/#www"</nowiki>,
-         "irc-contacts": [
+         "<b>irc-contacts</b>": [
              "someperson1",
              "someperson2",
@@ Line 225: / Line 227: @@
          ]
      },
-     "bugs": {
+     "<b>bugs</b>": {
-         "list": "https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org",
+         "list": <nowiki>"https://bugzilla.mozilla.org/describecomponents.cgi?product=www.mozilla.org"</nowiki>,
-         "report": "https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org",
+         "report": <nowiki>"https://bugzilla.mozilla.org/enter_bug.cgi?product=www.mozilla.org"</nowiki>,
-         "mentored": "https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&o1=isnotempty
+         "mentored": <nowiki>"https://bugzilla.mozilla.org/buglist.cgi?f1=bug_mentor&o1=isnotempty
-                        &query_format=advanced&bug_status=NEW&product=www.mozilla.org&list_id=10866041"
+                        &query_format=advanced&bug_status=NEW&product=www.mozilla.org&list_id=10866041"</nowiki>
      },
-     "urls": {
+     "<b>urls</b>": {
-         "prod": "https://www.mozilla.org",
+         "prod": <nowiki>"https://www.mozilla.org"</nowiki>,
-         "stage": "https://www.allizom.org",
+         "stage": <nowiki>"https://www.allizom.org"</nowiki>,
-         "dev": "https://www-dev.allizom.org",
+         "dev": <nowiki>"https://www-dev.allizom.org"</nowiki>,
-         "demo1": "https://www-demo1.allizom.org",
+         "demo1": <nowiki>"https://www-demo1.allizom.org"</nowiki>,
      },
      "keywords": [
@@ Line 244: / Line 246: @@
          "jquery"
      ]
-}</pre>
+}
+</p>
 == See Also ==
@@ Line 498: / Line 501: @@
 | [[#HTTPS|<span style="color: black;">HTTPS</span>]]
 | style="text-align: center;" | P1
-| style="text-align: center;" | Medium
+| style="text-align: center;" | Easy
-| style="text-align: center;" | 1
+| style="text-align: center;" data-sort-value="0" |
 | Mandatory
-| Use the most secure TLS configuration for your user base
+| Sites should use HTTPS (or other secure protocols) for all communications
 |- style="background-color: #E99696;"
 | style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
@@ Line 530: / Line 533: @@
 | Mandatory for all websites
 | Minimum allowed time period of six months
+|- style="background-color: #9EDB58;"
+| style="padding-left: 1.5em;" | [[#HTTPS|<span style="color: black;">TLS Configuration</span>]]
+| style="text-align: center;" | P1
+| style="text-align: center;" | Easy
+| style="text-align: center;" | 1
+| Mandatory
+| Use the most secure Mozilla TLS configuration for your user base, typically [[Security/Server Side TLS#Intermediate compatibility (default)|Intermediate]]
 |- style="background-color: #E8E27A;"
 | [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
@@ Line 544: / Line 554: @@
 | Mandatory for all new websites<br>Recommended for existing websites
 | All cookies must be set with the Secure flag, and set as restrictively as possible
-|- style="background-color: #E8E27A;"
+|- style="background-color: #D2D2D2;"
 | [[#contribute.json|<span style="color: black;">contribute.json</span>]]
 | style="text-align: center;" | P4
 | style="text-align: center;" | Easy
 | style="text-align: center;" | 9
-| Mandatory for all new websites<br>Recommended for existing sites
+| Mandatory for all new Mozilla websites<br>Recommended for existing Mozilla sites
-| Websites should serve contribute.json and keep contact information up-to-date
+| Mozilla sites should serve contribute.json and keep contact information up-to-date
 |- style="background-color: #9EDB58;"
 | [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
@@ Line 558: / Line 568: @@
 | Mandatory
 | Origin sharing headers and files should not be present, except for specific use cases
-|- style="background-color: #9EDB58;"
+|- style="background-color: #D2D2D2;"
 | [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]]
 | style="text-align: center;" | P2
@@ Line 565: / Line 575: @@
 | Varies
 | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
-|- style="background-color: #CCCCCC;"
+|- style="background-color: #D2D2D2;"
 | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
 | style="text-align: center;" | P5
@@ Line 572: / Line 582: @@
 | Optional
 | Websites that implement robots.txt must use it only for noted purposes
-|- style="background-color: #9EDB58;"
+|- style="background-color: #E8E27A;"
 | [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
 | style="text-align: center;" | P5
@@ Line 578: / Line 588: @@
 | style="text-align: center;" | 14
 | Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
-| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup> Only for websites that load JavaScript or stylesheets from non-Mozilla sources
+| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup> Only for websites that load JavaScript or stylesheets from foreign origins
-|- style="background-color: #9EDB58;"
+|- style="background-color: #E8E27A;"
 | [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
 | style="text-align: center;" | P3