Closed pjenvey closed 2 years ago
..and additionally the Rust specific checklist:
A checklist for people using Rust to develop Firefox services, to be used in addition to the common checklist.
#![forbid(unsafe_code)]
to your crate (e.g. the top of main.rs
or lib.rs
)
Crate | Description |
---|---|
Actix web | Actix web is a small, pragmatic, and extremely fast rust web framework. |
Hyper | A fast and correct HTTP implementation for Rust. |
Reqwest | An ergonomic, batteries-included HTTP Client for Rust. |
Serde | Serde is a framework for serializing and deserializing Rust data structures efficiently and generically. |
Slog | The logging for Rust |
Linked to https://jira.mozilla.com/browse/CONSVC-8
FWIW: Observatory gives an "A" rating: https://observatory.mozilla.org/analyze/contile.services.mozilla.com?third-party=false
Status: Downloaded newer image for owasp/zap2docker-stable:latest 2021-07-06 23:57:05,231 Could not find custom hooks file at /home/zap/.zap_hooks.py Jul 06, 2021 11:57:13 PM java.util.prefs.FileSystemPreferences$1 run INFO: Created user preferences directory. Total of 6 URLs ... PASS: Loosely Scoped Cookie [90033] FAIL-NEW: 0 FAIL-INPROG: 0 WARN-NEW: 0 WARN-INPROG: 0 INFO: 0 IGNORE: 0 PASS: 53
➤ David Durst commented:
Philip Jenvey I realize this is low priority. Just wondering if the remaining few items have been addressed for Contile – or rather, if there was a plan to knock out the last few things?
➤ Philip Jenvey commented:
David Durst Yea, I’m actively looking into one final item here
➤ Philip Jenvey commented:
The “A” score on the Mozilla Observatory appears due to the root URL linking to MDN: https://observatory.mozilla.org/analyze/developer.mozilla.org ( https://observatory.mozilla.org/analyze/developer.mozilla.org|smart-link ) and it failing the SRI check.
I’ve pinged #mdn-dev about this and will follow up with them if they’d like an issue logged to improve their SRI support.
Everything else is done for Contile, closing out.
➤ Philip Jenvey commented:
Logged this for MDN SRI support: https://github.com/mdn/yari/issues/4823 ( https://github.com/mdn/yari/issues/4823|smart-link )
From foxsec's web security checklist:
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.X-Forwarded-For
to all back-end services.frame-ancestors 'none'
to prevent iframe related attacks, such as DOM-Based CSRF~slim variants of official languagespecific base docker images e.g. node, python, or rust and contact secops@ if you want to use other variantsDevelopment
pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
Web Applications
default-src none
or only allow specific origins and setframe-src
andobject-src
tonone
if default-src is notnone
default-src 'none'; frame-ancestors 'none'; base-uri 'none'
to disallow content rendering and framing/redressingunsafe-inline
orunsafe-eval
inscript-src
,style-src
, orimg-src
directives (report-uri
directive to provide visibility into CSP violationsmgp-
+ 20 hex digits would match the regexp\bmgp-[0-9A-Fa-f]{20}\b
)__Host-
for the cookie name~Security Features
extensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.Databases
Common issues
target="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)~┆Issue is synchronized with this Jira Task ┆Epic: General Project Tasks