├── CODE_OF_CONDUCT.md ├── LICENSE ├── README.md └── rust.md /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Community Participation Guidelines 2 | 3 | This repository is governed by Mozilla's code of conduct and etiquette guidelines. 4 | For more details, please read the 5 | [Mozilla Community Participation Guidelines](https://www.mozilla.org/about/governance/policies/participation/). 6 | 7 | ## How to Report 8 | For more information on how to report violations of the Community Participation Guidelines, please read our '[How to Report](https://www.mozilla.org/about/governance/policies/participation/reporting/)' page. 9 | 10 | 16 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Mozilla Public License Version 2.0 2 | ================================== 3 | 4 | 1. Definitions 5 | -------------- 6 | 7 | 1.1. "Contributor" 8 | means each individual or legal entity that creates, contributes to 9 | the creation of, or owns Covered Software. 10 | 11 | 1.2. "Contributor Version" 12 | means the combination of the Contributions of others (if any) used 13 | by a Contributor and that particular Contributor's Contribution. 14 | 15 | 1.3. "Contribution" 16 | means Covered Software of a particular Contributor. 17 | 18 | 1.4. "Covered Software" 19 | means Source Code Form to which the initial Contributor has attached 20 | the notice in Exhibit A, the Executable Form of such Source Code 21 | Form, and Modifications of such Source Code Form, in each case 22 | including portions thereof. 23 | 24 | 1.5. "Incompatible With Secondary Licenses" 25 | means 26 | 27 | (a) that the initial Contributor has attached the notice described 28 | in Exhibit B to the Covered Software; or 29 | 30 | (b) that the Covered Software was made available under the terms of 31 | version 1.1 or earlier of the License, but not also under the 32 | terms of a Secondary License. 33 | 34 | 1.6. "Executable Form" 35 | means any form of the work other than Source Code Form. 36 | 37 | 1.7. "Larger Work" 38 | means a work that combines Covered Software with other material, in 39 | a separate file or files, that is not Covered Software. 40 | 41 | 1.8. "License" 42 | means this document. 43 | 44 | 1.9. "Licensable" 45 | means having the right to grant, to the maximum extent possible, 46 | whether at the time of the initial grant or subsequently, any and 47 | all of the rights conveyed by this License. 48 | 49 | 1.10. "Modifications" 50 | means any of the following: 51 | 52 | (a) any file in Source Code Form that results from an addition to, 53 | deletion from, or modification of the contents of Covered 54 | Software; or 55 | 56 | (b) any new file in Source Code Form that contains any Covered 57 | Software. 58 | 59 | 1.11. "Patent Claims" of a Contributor 60 | means any patent claim(s), including without limitation, method, 61 | process, and apparatus claims, in any patent Licensable by such 62 | Contributor that would be infringed, but for the grant of the 63 | License, by the making, using, selling, offering for sale, having 64 | made, import, or transfer of either its Contributions or its 65 | Contributor Version. 66 | 67 | 1.12. "Secondary License" 68 | means either the GNU General Public License, Version 2.0, the GNU 69 | Lesser General Public License, Version 2.1, the GNU Affero General 70 | Public License, Version 3.0, or any later versions of those 71 | licenses. 72 | 73 | 1.13. "Source Code Form" 74 | means the form of the work preferred for making modifications. 75 | 76 | 1.14. "You" (or "Your") 77 | means an individual or a legal entity exercising rights under this 78 | License. For legal entities, "You" includes any entity that 79 | controls, is controlled by, or is under common control with You. For 80 | purposes of this definition, "control" means (a) the power, direct 81 | or indirect, to cause the direction or management of such entity, 82 | whether by contract or otherwise, or (b) ownership of more than 83 | fifty percent (50%) of the outstanding shares or beneficial 84 | ownership of such entity. 85 | 86 | 2. License Grants and Conditions 87 | -------------------------------- 88 | 89 | 2.1. Grants 90 | 91 | Each Contributor hereby grants You a world-wide, royalty-free, 92 | non-exclusive license: 93 | 94 | (a) under intellectual property rights (other than patent or trademark) 95 | Licensable by such Contributor to use, reproduce, make available, 96 | modify, display, perform, distribute, and otherwise exploit its 97 | Contributions, either on an unmodified basis, with Modifications, or 98 | as part of a Larger Work; and 99 | 100 | (b) under Patent Claims of such Contributor to make, use, sell, offer 101 | for sale, have made, import, and otherwise transfer either its 102 | Contributions or its Contributor Version. 103 | 104 | 2.2. Effective Date 105 | 106 | The licenses granted in Section 2.1 with respect to any Contribution 107 | become effective for each Contribution on the date the Contributor first 108 | distributes such Contribution. 109 | 110 | 2.3. Limitations on Grant Scope 111 | 112 | The licenses granted in this Section 2 are the only rights granted under 113 | this License. No additional rights or licenses will be implied from the 114 | distribution or licensing of Covered Software under this License. 115 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 116 | Contributor: 117 | 118 | (a) for any code that a Contributor has removed from Covered Software; 119 | or 120 | 121 | (b) for infringements caused by: (i) Your and any other third party's 122 | modifications of Covered Software, or (ii) the combination of its 123 | Contributions with other software (except as part of its Contributor 124 | Version); or 125 | 126 | (c) under Patent Claims infringed by Covered Software in the absence of 127 | its Contributions. 128 | 129 | This License does not grant any rights in the trademarks, service marks, 130 | or logos of any Contributor (except as may be necessary to comply with 131 | the notice requirements in Section 3.4). 132 | 133 | 2.4. Subsequent Licenses 134 | 135 | No Contributor makes additional grants as a result of Your choice to 136 | distribute the Covered Software under a subsequent version of this 137 | License (see Section 10.2) or under the terms of a Secondary License (if 138 | permitted under the terms of Section 3.3). 139 | 140 | 2.5. Representation 141 | 142 | Each Contributor represents that the Contributor believes its 143 | Contributions are its original creation(s) or it has sufficient rights 144 | to grant the rights to its Contributions conveyed by this License. 145 | 146 | 2.6. Fair Use 147 | 148 | This License is not intended to limit any rights You have under 149 | applicable copyright doctrines of fair use, fair dealing, or other 150 | equivalents. 151 | 152 | 2.7. Conditions 153 | 154 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 155 | in Section 2.1. 156 | 157 | 3. Responsibilities 158 | ------------------- 159 | 160 | 3.1. Distribution of Source Form 161 | 162 | All distribution of Covered Software in Source Code Form, including any 163 | Modifications that You create or to which You contribute, must be under 164 | the terms of this License. You must inform recipients that the Source 165 | Code Form of the Covered Software is governed by the terms of this 166 | License, and how they can obtain a copy of this License. You may not 167 | attempt to alter or restrict the recipients' rights in the Source Code 168 | Form. 169 | 170 | 3.2. Distribution of Executable Form 171 | 172 | If You distribute Covered Software in Executable Form then: 173 | 174 | (a) such Covered Software must also be made available in Source Code 175 | Form, as described in Section 3.1, and You must inform recipients of 176 | the Executable Form how they can obtain a copy of such Source Code 177 | Form by reasonable means in a timely manner, at a charge no more 178 | than the cost of distribution to the recipient; and 179 | 180 | (b) You may distribute such Executable Form under the terms of this 181 | License, or sublicense it under different terms, provided that the 182 | license for the Executable Form does not attempt to limit or alter 183 | the recipients' rights in the Source Code Form under this License. 184 | 185 | 3.3. Distribution of a Larger Work 186 | 187 | You may create and distribute a Larger Work under terms of Your choice, 188 | provided that You also comply with the requirements of this License for 189 | the Covered Software. If the Larger Work is a combination of Covered 190 | Software with a work governed by one or more Secondary Licenses, and the 191 | Covered Software is not Incompatible With Secondary Licenses, this 192 | License permits You to additionally distribute such Covered Software 193 | under the terms of such Secondary License(s), so that the recipient of 194 | the Larger Work may, at their option, further distribute the Covered 195 | Software under the terms of either this License or such Secondary 196 | License(s). 197 | 198 | 3.4. Notices 199 | 200 | You may not remove or alter the substance of any license notices 201 | (including copyright notices, patent notices, disclaimers of warranty, 202 | or limitations of liability) contained within the Source Code Form of 203 | the Covered Software, except that You may alter any license notices to 204 | the extent required to remedy known factual inaccuracies. 205 | 206 | 3.5. Application of Additional Terms 207 | 208 | You may choose to offer, and to charge a fee for, warranty, support, 209 | indemnity or liability obligations to one or more recipients of Covered 210 | Software. However, You may do so only on Your own behalf, and not on 211 | behalf of any Contributor. You must make it absolutely clear that any 212 | such warranty, support, indemnity, or liability obligation is offered by 213 | You alone, and You hereby agree to indemnify every Contributor for any 214 | liability incurred by such Contributor as a result of warranty, support, 215 | indemnity or liability terms You offer. You may include additional 216 | disclaimers of warranty and limitations of liability specific to any 217 | jurisdiction. 218 | 219 | 4. Inability to Comply Due to Statute or Regulation 220 | --------------------------------------------------- 221 | 222 | If it is impossible for You to comply with any of the terms of this 223 | License with respect to some or all of the Covered Software due to 224 | statute, judicial order, or regulation then You must: (a) comply with 225 | the terms of this License to the maximum extent possible; and (b) 226 | describe the limitations and the code they affect. Such description must 227 | be placed in a text file included with all distributions of the Covered 228 | Software under this License. Except to the extent prohibited by statute 229 | or regulation, such description must be sufficiently detailed for a 230 | recipient of ordinary skill to be able to understand it. 231 | 232 | 5. Termination 233 | -------------- 234 | 235 | 5.1. The rights granted under this License will terminate automatically 236 | if You fail to comply with any of its terms. However, if You become 237 | compliant, then the rights granted under this License from a particular 238 | Contributor are reinstated (a) provisionally, unless and until such 239 | Contributor explicitly and finally terminates Your grants, and (b) on an 240 | ongoing basis, if such Contributor fails to notify You of the 241 | non-compliance by some reasonable means prior to 60 days after You have 242 | come back into compliance. Moreover, Your grants from a particular 243 | Contributor are reinstated on an ongoing basis if such Contributor 244 | notifies You of the non-compliance by some reasonable means, this is the 245 | first time You have received notice of non-compliance with this License 246 | from such Contributor, and You become compliant prior to 30 days after 247 | Your receipt of the notice. 248 | 249 | 5.2. If You initiate litigation against any entity by asserting a patent 250 | infringement claim (excluding declaratory judgment actions, 251 | counter-claims, and cross-claims) alleging that a Contributor Version 252 | directly or indirectly infringes any patent, then the rights granted to 253 | You by any and all Contributors for the Covered Software under Section 254 | 2.1 of this License shall terminate. 255 | 256 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 257 | end user license agreements (excluding distributors and resellers) which 258 | have been validly granted by You or Your distributors under this License 259 | prior to termination shall survive termination. 260 | 261 | ************************************************************************ 262 | * * 263 | * 6. Disclaimer of Warranty * 264 | * ------------------------- * 265 | * * 266 | * Covered Software is provided under this License on an "as is" * 267 | * basis, without warranty of any kind, either expressed, implied, or * 268 | * statutory, including, without limitation, warranties that the * 269 | * Covered Software is free of defects, merchantable, fit for a * 270 | * particular purpose or non-infringing. The entire risk as to the * 271 | * quality and performance of the Covered Software is with You. * 272 | * Should any Covered Software prove defective in any respect, You * 273 | * (not any Contributor) assume the cost of any necessary servicing, * 274 | * repair, or correction. This disclaimer of warranty constitutes an * 275 | * essential part of this License. No use of any Covered Software is * 276 | * authorized under this License except under this disclaimer. * 277 | * * 278 | ************************************************************************ 279 | 280 | ************************************************************************ 281 | * * 282 | * 7. Limitation of Liability * 283 | * -------------------------- * 284 | * * 285 | * Under no circumstances and under no legal theory, whether tort * 286 | * (including negligence), contract, or otherwise, shall any * 287 | * Contributor, or anyone who distributes Covered Software as * 288 | * permitted above, be liable to You for any direct, indirect, * 289 | * special, incidental, or consequential damages of any character * 290 | * including, without limitation, damages for lost profits, loss of * 291 | * goodwill, work stoppage, computer failure or malfunction, or any * 292 | * and all other commercial damages or losses, even if such party * 293 | * shall have been informed of the possibility of such damages. This * 294 | * limitation of liability shall not apply to liability for death or * 295 | * personal injury resulting from such party's negligence to the * 296 | * extent applicable law prohibits such limitation. Some * 297 | * jurisdictions do not allow the exclusion or limitation of * 298 | * incidental or consequential damages, so this exclusion and * 299 | * limitation may not apply to You. * 300 | * * 301 | ************************************************************************ 302 | 303 | 8. Litigation 304 | ------------- 305 | 306 | Any litigation relating to this License may be brought only in the 307 | courts of a jurisdiction where the defendant maintains its principal 308 | place of business and such litigation shall be governed by laws of that 309 | jurisdiction, without reference to its conflict-of-law provisions. 310 | Nothing in this Section shall prevent a party's ability to bring 311 | cross-claims or counter-claims. 312 | 313 | 9. Miscellaneous 314 | ---------------- 315 | 316 | This License represents the complete agreement concerning the subject 317 | matter hereof. If any provision of this License is held to be 318 | unenforceable, such provision shall be reformed only to the extent 319 | necessary to make it enforceable. Any law or regulation which provides 320 | that the language of a contract shall be construed against the drafter 321 | shall not be used to construe this License against a Contributor. 322 | 323 | 10. Versions of the License 324 | --------------------------- 325 | 326 | 10.1. New Versions 327 | 328 | Mozilla Foundation is the license steward. Except as provided in Section 329 | 10.3, no one other than the license steward has the right to modify or 330 | publish new versions of this License. Each version will be given a 331 | distinguishing version number. 332 | 333 | 10.2. Effect of New Versions 334 | 335 | You may distribute the Covered Software under the terms of the version 336 | of the License under which You originally received the Covered Software, 337 | or under the terms of any subsequent version published by the license 338 | steward. 339 | 340 | 10.3. Modified Versions 341 | 342 | If you create software not governed by this License, and you want to 343 | create a new license for such software, you may create and use a 344 | modified version of this License if you rename the license and remove 345 | any references to the name of the license steward (except to note that 346 | such modified license differs from this License). 347 | 348 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 349 | Licenses 350 | 351 | If You choose to distribute Source Code Form that is Incompatible With 352 | Secondary Licenses under the terms of this version of the License, the 353 | notice described in Exhibit B of this License must be attached. 354 | 355 | Exhibit A - Source Code Form License Notice 356 | ------------------------------------------- 357 | 358 | This Source Code Form is subject to the terms of the Mozilla Public 359 | License, v. 2.0. If a copy of the MPL was not distributed with this 360 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 361 | 362 | If it is not possible or desirable to put the notice in a particular 363 | file, then You may include the notice in a location (such as a LICENSE 364 | file in a relevant directory) where a recipient would be likely to look 365 | for such a notice. 366 | 367 | You may add additional accurate notices of copyright ownership. 368 | 369 | Exhibit B - "Incompatible With Secondary Licenses" Notice 370 | --------------------------------------------------------- 371 | 372 | This Source Code Form is "Incompatible With Secondary Licenses", as 373 | defined by the Mozilla Public License, v. 2.0. 374 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # websec-check 2 | 3 | The [Firefox Operations Security Team's](https://wiki.mozilla.org/Security/FirefoxOperations) web security checklist for Firefox Services. 4 | 5 | Markdown issue template: 6 | 7 | ```markdown 8 | Risk Management 9 | --------------- 10 | * [ ] The service must have performed a Rapid Risk Assessment 11 | * [ ] The service must be registered via a [New Service issue](https://github.com/mozilla-services/foxsec/issues/new?template=01_NewService.md&labels=New%20Service&assignee=psiinon&title=New%20Service:%20). You need to have access to the mozilla-services GitHub organization to be able to view and create this issue (ping secops if you don't have access). 12 | 13 | Infrastructure 14 | -------------- 15 | 16 | * [ ] Access and application logs must be archived for a minimum of 90 days 17 | * [ ] Use [Modern](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) or [Intermediate](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility) TLS 18 | * [ ] Set HSTS to 31536000 (1 year) 19 | * `strict-transport-security: max-age=31536000` 20 | * [ ] If the service is not hosted under `services.mozilla.com`, it must be manually added to [Firefox's preloaded pins](https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json#184). This only applies to production services, not short-lived experiments. 21 | * [ ] Correctly set client IP 22 | * [ ] Confirm client ip is in the proper location in [X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For), modifying what is sent from the client if needed. AWS and GCP's load balancers will do this automatically. 23 | * [ ] Make sure the web server and the application get the true client IP by configuring trusted IP's within Nginx or Apache 24 | * Nginx: [ngx_http_realip_module](https://nginx.org/en/docs/http/ngx_http_realip_module.html) 25 | * Apache: [mod_remoteip](https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html) 26 | * [ ] If you have a service-oriented architecture, you must always be able to find the IP of the client that sent the initial request. We recommend passing along the `X-Forwarded-For` to all back-end services. 27 | * If service has an admin panels, it must: 28 | * [ ] only be available behind Mozilla VPN (which provides MFA) 29 | * [ ] require Auth0 authentication 30 | * [ ] Enforce a CSP with `frame-ancestors 'none'` to prevent iframe related attacks, such as [DOM-Based CSRF](https://www.youtube.com/watch?v=Femsrx0m9bU) 31 | * [ ] Build and deploy main or -slim variants of official language-specific base docker images e.g. [node](https://hub.docker.com/_/node/), [python](https://hub.docker.com/_/python/), or [rust](https://hub.docker.com/_/rust/) and contact secops@ if you want to use other variants 32 | 33 | Development 34 | ----------- 35 | * [ ] Ensure your code repository is configured and located appropriately: 36 | * [ ] Application built internally should be hosted in trusted GitHub organizations (mozilla, mozilla-services, mozilla-bteam, mozilla-conduit, mozilla-mobile, taskcluster). Sometimes we build and deploy applications we don't fully control. In those cases, the Dockerfile that builds the application container should be hosted in its own repository in a trusted organization. 37 | * [ ] Secure your repository by implementing [Mozilla's GitHub security standard](https://github.com/mozilla-services/GitHub-Audit/blob/master/docs/checklist.md). 38 | * [ ] Sign all release tags, and ideally commits as well 39 | * Developers should [configure git to sign all tags](http://micropipes.com/blog//2016/08/31/signing-your-commits-on-github-with-a-gpg-key/) and upload their PGP fingerprint to https://login.mozilla.com 40 | * The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code. 41 | * [ ] Enable [automated security fix PRs on GitHub](https://help.github.com/en/articles/configuring-automated-security-fixes#managing-automated-security-fixes-for-your-repository) for vulnerabilities in 3rd-party dependencies 42 | * [ ] Keep 3rd-party libraries up to date (in addition to the security updates) 43 | * For NodeJS applications, use [dependabot](https://dependabot.com/), [renovate](https://renovateapp.com/), or [GreenKeeper](https://greenkeeper.io/) 44 | * For Python, use ``pip list --outdated`` or [requires.io](https://requires.io/) or pyup outdated checks 45 | * For Rust, use `cargo update` and [cargo upgrade](https://github.com/killercup/cargo-edit#cargo-upgrade) when changing versions 46 | * [ ] Integrate static code analysis in CI, and avoid merging code with issues 47 | * Javascript applications should use ESLint with the [Mozilla ruleset](https://developer.mozilla.org/en-US/docs/ESLint) 48 | * Python applications should use [Bandit](https://github.com/openstack/bandit) 49 | * Go applications should use the [Go Meta Linter](https://github.com/alecthomas/gometalinter) 50 | * Use whitelisting mechanisms in these tools to deal with false positives 51 | 52 | Dual Sign Off 53 | ------------ 54 | * [ ] Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panels 55 | * This mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in production 56 | 57 | Logging 58 | ------- 59 | * [ ] Publish detailed logs in [mozlog](https://github.com/mozilla-services/Dockerflow/blob/master/docs/mozlog.md) format (**APP-MOZLOG**) 60 | * Business logic must be logged with app specific codes (see [FxA](https://github.com/mozilla/fxa-auth-server/blob/master/docs/api.md#defined-errors)) 61 | * Access control failures must be logged at WARN level 62 | 63 | Web Applications 64 | ---------------- 65 | * [ ] Must have a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). The policy: 66 | * [ ] should set `default-src none` or only allow specific origins and set `frame-src` and `object-src` to `none` if default-src is not `none` 67 | * [ ] web API responses should return `default-src 'none'; frame-ancestors 'none'; base-uri 'none'` to disallow content rendering and framing/redressing 68 | * [ ] should not use `unsafe-inline` or `unsafe-eval` in `script-src`, `style-src`, or `img-src` directives ( 69 | * [ ] may include a `report-uri` directive to provide visibility into CSP violations 70 | 71 | * [ ] Third-party javascript must be pinned to specific versions using [Subresource Integrity (SRI)](https://infosec.mozilla.org/guidelines/web_security#subresource-integrity) 72 | * [ ] Web APIs: 73 | * [ ] must set a non-HTML content-type on all responses, including 300s, 400s and 500s 74 | * [ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests 75 | * [ ] Should use authentication tokens with a unique pattern which is easily parsed with a regexp. This should allow inclusion into a token scanning service in the future. (E.g. prefix `mgp-` + 20 hex digits would match the regexp `\bmgp-[0-9A-Fa-f]{20}\b`) 76 | * [ ] for [Cookies](https://wiki.mozilla.org/Security/Guidelines/Web_Security#Cookies): 77 | * [ ] Set the Secure and HTTPOnly flags 78 | * [ ] Use a sensible Expiration 79 | * [ ] Use the prefix `__Host-` for the cookie name 80 | * [ ] Make sure your application gets an A+ on the [Mozilla Observatory](https://observatory.mozilla.org/) 81 | * [ ] Confirm your application doesn't fail the [ZAP Security Baseline](https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan): 82 | 1. Register your service as described in the Risk Management section (if you are not registering your service you can run the scan as described at: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan) 83 | 2. Go to [The STMO baseline dashboard](https://sql.telemetry.mozilla.org/dashboard/security-baseline-top-level-scores) (if you do not have access to the dashboard, contact secops@) 84 | 3. Filter for your service name and check that the "failures" column is 0. Click on each individual site for additional information about any failures. 85 | 4. If you need to document exceptions to the baseline e.g. to mark a search form as CSRF exempt, contact secops@ or ping 'psiinon' on github to get the scan config updated 86 | 87 | Security Features 88 | ----------------- 89 | * [ ] Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team. 90 | * [ ] Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review 91 | * Store session keys server side (typically in a db) so that they can be revoked immediately. 92 | * Session keys must be changed on login to prevent session fixation attacks. 93 | * Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login). 94 | * For more information about potential pitfalls see the [OWASP Session Management Cheat Sheet](https://www.owasp.org/index.php/Session_Management_Cheat_Sheet) 95 | * [ ] When using cookies for session management, make sure you have CSRF protections in place, which in 99% of cases is [SameSite cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies). If you can't use SameSite, use anti CSRF tokens. There are two exceptions to implementing CSRF protection: 96 | * Forms that don't change state (e.g. search forms) don't need CSRF protection and can indicate that by setting the 'data-no-csrf' form attribute (this tells our ZAP scanner to ignore those forms when testing for CSRF). 97 | * Sites that don't use cookies for anything sensitive can ignore CSRF protection. A lot of modern sites prefer to use local-storage JWTs for session management, which aren't vulnerable to CSRF (but must have a rock solid CSP). 98 | * [ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review. 99 | * [ ] If you are building a core Firefox service, consider adding it to the list of restricted domains in the preference `extensions.webextensions.restrictedDomains`. This will prevent a malicious extension from being able to steal sensitive information from it, see [bug 1415644](https://bugzilla.mozilla.org/show_bug.cgi?id=1415644). 100 | 101 | Databases 102 | --------- 103 | * [ ] All SQL queries must be parameterized, not concatenated 104 | * [ ] Applications must use accounts with limited GRANTS when connecting to databases 105 | * In particular, applications **must not use admin or owner accounts**, to decrease the impact of a sql injection vulnerability. 106 | 107 | Common issues 108 | ------------- 109 | * [ ] User data must be [escaped for the right context](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules_Summary) prior to reflecting it 110 | * When inserting user generated html into an html context: 111 | * Python applications should use [Bleach](https://github.com/mozilla/bleach) 112 | * Javascript applications should use [DOMPurify](https://github.com/cure53/DOMPurify/) 113 | * [ ] Apply sensible limits to user inputs, see [input validation](https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines#Input_Validation) 114 | * POST body size should be small (<500kB) unless explicitly needed 115 | * [ ] When allowing users to upload or generate content, make sure to host that content on a separate domain (eg. firefoxusercontent.com, etc.). This will prevent malicious content from having access to storage and cookies from the origin. 116 | * Also use this technique to host rich content you can't protect with a CSP, such as metrics reports, wiki pages, etc. 117 | * [ ] When managing permissions, make sure access controls are enforced server-side 118 | * [ ] If an authenticated user accesses protected resource, make sure the pages with those resource arent cached and served up to unauthenticated users (like via a CDN). 119 | * [ ] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations 120 | * Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency. 121 | * [ ] Do not proxy requests from users without strong limitations and filtering (see [Pocket UserData vulnerability](https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/)). Don't proxy requests to [link local, loopback, or private networks](https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv4) or DNS that resolves to addresses in those ranges (i.e. 169.254.0.0/16, 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, 198.18.0.0/15). 122 | * [ ] Do not use `target="_blank"` in external links unless you also use `rel="noopener noreferrer"` (to prevent [Reverse Tabnabbing](https://www.owasp.org/index.php/Reverse_Tabnabbing)) 123 | ``` 124 | -------------------------------------------------------------------------------- /rust.md: -------------------------------------------------------------------------------- 1 | # Rust 2 | A checklist for people using Rust to develop Firefox services, to be used in addition to the [common checklist](README.md). 3 | 4 | * [ ] Use [cargo-audit](https://github.com/RustSec/cargo-audit) to check for dependency security vulnerabilities 5 | * [ ] Use [rust-clippy](https://github.com/rust-lang/rust-clippy) for linting (easier for new projects) 6 | * [ ] Use [slog-mozlog-json](https://github.com/mozilla-services/slog-mozlog-json) for service logging 7 | * [ ] Set [compile time filters](https://docs.rs/log/0.4.8/log/#compile-time-filters) if you are using the [log](https://crates.io/crates/log) Crate. The default setting does not disable any log levels, which can result in excessive logging in high traffic applications 8 | * [ ] Binaries (as opposed to libraries) should include a Cargo.lock file in version control 9 | * [ ] Use [dependabot](https://dependabot.com/rust/) to keep your dependencies up to date 10 | * [ ] Add `#![forbid(unsafe_code)]` to your crate (e.g. the top of `main.rs` or `lib.rs`) 11 | * [ ] If you must use 'unsafe', include a comment explaining why you believe its use is sound and its behavior is correct and well defined 12 | * [ ] Only use Rust nightly when it is absolutely necessary 13 | * [ ] If you have to use nightly track the features you require so that you can move off it once they are merged into stable 14 | * [ ] Minimise dependencies (not Rust specific, but important due to the relative immaturity of the ecosystem) 15 | * Check to see if existing crates already have the functionality 16 | * Consider implementing simple functionality instead of adding a new dependency 17 | * Give preference to 18 | * Crates that are already [vendored into Firefox](https://dxr.mozilla.org/mozilla-central/source/third_party/rust). 19 | * Crates from [rust-lang-nursery](https://github.com/rust-lang-nursery) 20 | * Crates that appear to be widely used in the rust community. 21 | 22 | ## Recommended crates 23 | 24 | | Crate | Description | 25 | | ----- | ----------- | 26 | | [Actix web](https://crates.io/crates/actix-web) | Actix web is a small, pragmatic, and extremely fast rust web framework. | 27 | | [Hyper](https://crates.io/crates/hyper) | A fast and correct HTTP implementation for Rust. | 28 | | [Reqwest](https://crates.io/crates/reqwest) | An ergonomic, batteries-included HTTP Client for Rust. | 29 | | [Serde](https://crates.io/crates/serde) | Serde is a framework for serializing and deserializing Rust data structures efficiently and generically. | 30 | | [Slog](https://crates.io/crates/slog) | The logging for Rust | 31 | 32 | Additional recommendations can be proposed via PRs or issues. 33 | 34 | ## Markdown issue template 35 | For the above checklist. 36 | 37 | ``` 38 | * [ ] Use [cargo-audit](https://github.com/RustSec/cargo-audit) to check for dependency security vulnerabilities 39 | * [ ] Use [rust-clippy](https://github.com/rust-lang/rust-clippy) for linting (easier for new projects) 40 | * [ ] Use [slog-mozlog-json](https://github.com/mozilla-services/slog-mozlog-json) for service logging 41 | * [ ] Set [compile time filters](https://docs.rs/log/0.4.8/log/#compile-time-filters) if you are using the [log](https://crates.io/crates/log) Crate. The default setting does not disable any log levels, which can result in excessive logging in high traffic applications 42 | * [ ] Binaries (as opposed to libraries) should include a Cargo.lock file in version control 43 | * [ ] Use [dependabot](https://dependabot.com/rust/) to keep your dependencies up to date 44 | * [ ] Add `#![forbid(unsafe_code)]` to your crate (e.g. the top of `main.rs` or `lib.rs`) 45 | * [ ] If you must use 'unsafe', include a comment explaining why you believe its use is sound and its behavior is correct and well defined 46 | * [ ] Only use Rust nightly when it is absolutely necessary 47 | * [ ] If you have to use nightly track the features you require so that you can move off it once they are merged into stable 48 | * [ ] Minimise dependencies (not Rust specific, but important due to the relative immaturity of the ecosystem) 49 | * Check to see if existing crates already have the functionality 50 | * Consider implementing simple functionality instead of adding a new dependency 51 | * Give preference to 52 | * Crates that are already [vendored into Firefox](https://dxr.mozilla.org/mozilla-central/source/third_party/rust). 53 | * Crates from [rust-lang-nursery](https://github.com/rust-lang-nursery) 54 | * Crates that appear to be widely used in the rust community. 55 | ``` 56 | --------------------------------------------------------------------------------