Security Checklist

All services integrated with Firefox or that provide services to Firefox users must follow the security rules listed below.

You can copy and paste the checklist below into a GitHub issue.

Infrastructure rules

[ ] Use Modern TLS (INFRA-TLS)
[ ] Set HSTS to 31536000 (one year) (INFRA-HSTS)
[ ] Set HPKP to 2592000 (30 days) (INFRA-HPKP)
If service has an admin panels, it must:
- [ ] only be available behind Mozilla VPN (which provides MFA) (INFRA-ADMINVPN)
- [ ] require LDAP authentication (INFRA-ADMINLDAP)
- [ ] enforce a two-man rule on sensitive changes (INFRA-2MANRULE)
  Coding rules

The following rules apply to all web applications: api and websites.

[ ] Detailed logging in mozlog format (APP-MOZLOG)
- Business logic must be logged with app specific codes (errno)
- Access control failures must be logged at WARN level
[ ] All SQL queries must be parameterized, not concatenated (APP-SQL)
[ ] User data must be escaped for the right context prior to reflecting it (APP-ESCAPE)
[ ] Apply sensible limits to user inputs, see input validation (APP-INPUTVAL)
[ ] Enforce Access Controls server-side (APP-ACL)
[ ] Set the Secure flag on Cookies, and use sensible Expiration and HTTPOnly (APP-SECCOOKIE)
Keep 3rd-party libraries up to date (APP-DEPS)
- [ ] Use NSP or [GreenKeeper](https://greenkeeper.io/ Greenkeeper) for NodeJS applications
- [ ] Use pip --outdated or requires.io for Python applications
[ ] If handling cryptographic keys, must have a mechanism to handle monthly key rotations (APP-KEYROT)
- [ ] All keys must be rotated quarterly.
- Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable during.
  Additional websites requirements

The following coding rules only apply to websites, not web apis.

[ ] Never store passwords, use Firefox Accounts (APP-IDP)
[ ] Forbid Mixed content, always use HTTPS (APP-MIXCONTENT)
[ ] Must have a CSP with (APP-CSP)
- [ ] a report-uri pointing to the service /cspreport
- [ ] frame-options set to deny
- [ ] no use of unsafe-inline or unsafe-eval
[ ] Must have CSRF tokens and manually excluded specific forms (APP-CSRF)
[ ] Should consider having checksums for 3rd-party content via SRI (APP-SRI).
- Trusted 3rd parties, like Google Analytics, don't need SRI. Use your best judgment to decide if a 3rd party script is trustworthy (and assume it is not).
Consider Security headers as appropriate (APP-HEADERS)
- [ ] X-Content-Type-Options
- [ ] X-Frame-Options
- [ ] X-XSS-Protection
  Data rules
When storing sensitive user data (like browsing history) on Mozilla servers:
- [ ] Anonymize it (similar to Tiles) (DATA-ANON)
- [ ] Encrypt it client-side (similar to Sync) (DATA-CRYPT)
- [ ] If user data must be stored non-anonymized and in clear text, you must talk to the security and legal teams about it.
If the service pushes data to Firefox, like when distributing blacklists or pushing updates, cryptographic signatures must be used. (DATA-SIGN)
- [ ] Addons must use standard AMO signing (APP-SIGNING)
- [ ] Code & Conf must use Content-Signature via Autograph (DATA-SIGNING)