Open jvehent opened 5 years ago
@jvehent @g-k We're almost done doing the last couple of security things. e.g. A+ on Observatory.
What do we need to do to get buildhub.moz.tools (and stage??) to the Security Baseline?
@peterbe Nice! Can you file a new service issue or point us to it the existing one? Then I can add that metadata to the zap baseline config.
@peterbe looks like those sites are failing the baseline on:
Is that enough info? If not just let me know what you need.
@psiinon I suspect what you're referring to is the production site (buildhub.moz.tools). We made some changes to the Stage first which should plug those missing holes. In particular, we made sure that Django also sets a bunch of good security headers so we don't have to exclusively rely on Nginx to get these things right.
Yeah, stage is looking good now, its passing both the Observatory and Baseline checks with flying colours :D
@g-k
Can you file a new service issue or point us to it the existing one? Then I can add that metadata to the zap baseline config.
@autrilla already did: https://github.com/mozilla-services/foxsec/issues/1136
@psiinon Can you check...
[ ] Verify your application doesn't have any failures on the Security Baseline.
@peterbe yes, it passes the Security Baseline :)
The only thing missing hardening the Elasticsearch API which we're proxying. I forked it into this issue: https://github.com/mozilla/buildhub2/issues/471
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.Development
npm audit
with audit-filter to review and handle exceptions (see example in speech-proxy)pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
Web Applications
/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should benone
or only allow specific originsSecurity Features
extensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.Databases
Common issues
target="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)