MozillaWiki

User:Apking/Web Security Guidelines: Difference between revisions

User page Discussion

User:Apking/Web Security Guidelines (view source)

Revision as of 19:27, 14 January 2016

1,209 bytes added ,  14 January 2016
added priority / difficulty columns, bunch of updates to cheat sheet
(added contribute.json to the standard)
(added priority / difficulty columns, bunch of updates to cheat sheet)
Line 463: Line 463:
= Web Security Cheat Sheet =
= Web Security Cheat Sheet =


{| class="wikitable" style="width: 100%;"
{| class="wikitable sortable" style="width: 100%;"
|-
|-
! Guideline
! Guideline
! Priority
! Difficulty
! Requirements
! Requirements
! Notes
! Notes
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#HTTPS|<span style="color: black;">HTTPS</span>]]
| [[#HTTPS|<span style="color: black;">HTTPS</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Medium
| Mandatory
| Mandatory
| Use the most secure TLS configuration for your user base
| Use the most secure TLS configuration for your user base
|- style="background-color: #E99696;"
|- style="background-color: #E99696;"
| style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
| style="padding-left: 1.5em;" | [[#HTTP Public Key Pinning|<span style="color: black;">Public Key Pinning</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | High
| Mandatory for maximum risk sites only
| Mandatory for maximum risk sites only
| Not recommended for most sites
| Not recommended for most sites
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]]
| style="padding-left: 1.5em;" | [[#HTTP Redirections|<span style="color: black;">Redirections from HTTP</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| Mandatory
| Mandatory
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
| Websites must redirect to HTTPS, API endpoints should disable HTTP entirely
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]]
| style="padding-left: 1.5em;" | [[#HTTP Strict Transport Security|<span style="color: black;">Strict Transport Security</span>]]
| style="text-align: center;" | P1
| style="text-align: center;" | Easy
| Mandatory for all websites
| Mandatory for all websites
| Minimum allowed time period of six months
| Minimum allowed time period of six months
|- style="background-color: #E8E27A;"
|- style="background-color: #E8E27A;"
| [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
| [[#Content Security Policy|<span style="color: black;">Content Security Policy</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | High
| Mandatory for new websites<br>Recommended for existing websites
| Mandatory for new websites<br>Recommended for existing websites
| Disabling inline script is the highest priority for CSP
| Disabling inline script is the greatest concern for CSP implementation
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#Cookies|<span style="color: black;">Cookies</span>]]
| [[#Cookies|<span style="color: black;">Cookies</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| Mandatory
| Mandatory
| All cookies must be set with Secure, and set as restrictively as possible
| All cookies must be set with the Secure flag, and set as restrictively as possible
|- style="background-color: #9EDB58;"
|- style="background-color: #E8E27A;"
| [[#contribute.json|<span style="color: black;">contribute.json</span>]]
| [[#contribute.json|<span style="color: black;">contribute.json</span>]]
| Mandatory for all websites
| style="text-align: center;" | P4
| style="text-align: center;" | Easy
| Mandatory for all new websites<br>Recommended for existing sites
| Websites should serve contribute.json and keep contact information up-to-date
| Websites should serve contribute.json and keep contact information up-to-date
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
| [[#Cross-origin Resource Sharing|<span style="color: black;">Cross-origin Resource Sharing</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| Mandatory
| Mandatory
| Origin sharing headers and files should not be present, except for specific use cases
| Origin sharing headers and files should not be present, except for specific use cases
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery<br>Tokenization</span>]]
| [[#CSRF Prevention|<span style="color: black;">Cross-site Request Forgery Tokenization</span>]]
| Mandatory for certain websites
| style="text-align: center;" | P2
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites
| style="text-align: center;" | Varies
| Varies
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
|- style="background-color: #CCCCCC;"
|- style="background-color: #CCCCCC;"
| [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| style="text-align: center;" | P5
| style="text-align: center;" | Easy
| Optional
| Optional
| Websites that implement robots.txt must use it only for noted purposes
| Websites that implement robots.txt must use it only for noted purposes
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
| [[#Subresource Integrity|<span style="color: black;">Subresource Integrity</span>]]
| Mandatory
| style="text-align: center;" | P5
| Mandatory for all websites that load JavaScript or stylesheets from non-Mozilla sources
| style="text-align: center;" | Moderate
| Varies
| Recommended for websites that load JavaScript or stylesheets from non-Mozilla sources<br>Unnecessary for all other websites
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| [[#X-Content-Type-Options|<span style="color: black;">X-Content-Type-Options</span>]]
| Mandatory for all websites
| style="text-align: center;" | P3
| style="text-align: center;" | Easy
| Recommended for all websites
| Websites should verify that they are setting the proper MIME types for all resources
| Websites should verify that they are setting the proper MIME types for all resources
|- style="background-color: #9EDB58;"
|- style="background-color: #9EDB58;"
| [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]]
| [[#X-Frame-Options|<span style="color: black;">X-Frame-Options</span>]]
| style="text-align: center;" | P2
| style="text-align: center;" | Easy
| Mandatory for all websites
| Mandatory for all websites
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
| Websites that don't use DENY or SAMEORIGIN must employ clickjacking defenses
|- style="background-color: #E8E27A;"
|- style="background-color: #E8E27A;"
| [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]]
| [[#X-XSS-Protection|<span style="color: black;">X-XSS-Protection</span>]]
| style="text-align: center;" | P3
| style="text-align: center;" | Moderate
| Mandatory for all new websites<br>Recommended for existing websites
| Mandatory for all new websites<br>Recommended for existing websites
| Manual testing should be done for existing websites, prior to implementation
| Manual testing should be done for existing websites, prior to implementation
|}
|}
Apking
Anti-spam team, Confirmed users
99

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1112790"