[ ] If the service is not hosted under services.mozilla.com, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.
If service has an admin panels, it must:
[x] only be available behind Mozilla VPN (which provides MFA)
[x] require Auth0 authentication
Development
[x] Ensure your code repository is configured and located appropriately:
[x] Application built internally should be hosted in trusted GitHub organizations (mozilla, mozilla-services, mozilla-bteam, mozilla-conduit, mozilla-mobile, taskcluster). Sometimes we build and deploy applications we don't fully control. In those cases, the Dockerfile that builds the application container should be hosted in its own repository in a trusted organization.
The signature verification will eventually become a requirement to shipping a release to staging & prod: the tag being deployed in the pipeline must have a matching tag in git signed by a project owner. This control is designed to reduce the risk of a 3rd party GitHub integration from compromising our source code.
[ ] enable security scanning of 3rd-party libraries and dependencies
Enable branch protection for master and other development branches. Make sure the approved-mozilla-pyup-configuration team CANNOT push to those branches.
From the "add a team" dropdown for your repo /settings page
Add the "Approved Mozilla PyUp Configuration" team for your github org (e.g. for mozilla and mozilla-services)
Grant it write permission so it can make pull requests
notify secops@mozilla.com to enable the integration in pyup
[x] Keep 3rd-party libraries up to date (in addition to the security updates)
Use whitelisting mechanisms in these tools to deal with false positives
Dual Sign Off
[x] Services that push data to Firefox clients must require a dual sign off on every change, implemented in their admin panels
This mechanism must be reviewed and approved by the Firefox Operations Security team before being enabled in production
Logging
[x] Publish detailed logs in mozlog format (APP-MOZLOG)
Business logic must be logged with app specific codes (see FxA)
Access control failures must be logged at WARN level
Security Headers
[ ] Must have a CSP with
[ ] a report-uri pointing to the service's own / endpoint
[ ] web API responses should return default-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri / to disallowing all content rendering, framing, and report violations
[ ] if default-src is not none, frame-src, and object-src should be none or only allow specific origins
[ ] no use of unsafe-inline or unsafe-eval in script-src, style-src, and img-src
[x] Web APIs must set a non-HTML content-type on all responses, including 300s, 400s and 500s
[x] Set the Secure and HTTPOnly flags on Cookies, and use sensible Expiration
[ ] Verify your application doesn't have any failures on the Security Baseline.
Contact secops@ or ping 'psiinon' on github to document exceptions to the baseline, mark csrf exempt forms, etc.
[ ] Web APIs should export an OpenAPI (Swagger) to facilitate automated vulnerability tests
Security Features
[x] Authentication of end-users should be via FxA. Authentication of Mozillians should be via Auth0/SSO. Any exceptions must be approved by the security team.
[x] Session Management should be via existing and well regarded frameworks. In all cases you should contact the security team for a design and implementation review
Store session keys server side (typically in a db) so that they can be revoked immediately.
Session keys must be changed on login to prevent session fixation attacks.
Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).
[x] Form that change state should use anti CSRF tokens. Anti CSRF tokens can be dropped for internal sites using SameSite session cookies where we are sure all users will be on Firefox 60+. Forms that do not change state (e.g. search forms) should use the 'data-no-csrf' form attribute.
[ ] Access Control should be via existing and well regarded frameworks. If you really do need to roll your own then contact the security team for a design and implementation review.
[ ] If you are building a core Firefox service, consider adding it to the list of restricted domains in the preference extensions.webextensions.restrictedDomains. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.
Databases
[x] All SQL queries must be parameterized, not concatenated
[x] Applications must use accounts with limited GRANTS when connecting to databases
In particular, applications must not use admin or owner accounts, to decrease the impact of a sql injection vulnerability.
POST body size should be small (<500kB) unless explicitly needed
[x] When managing permissions, make sure access controls are enforced server-side
[x] If caching is used then make sure that any data cached does not incorrectly allow allow access to data protected by access control
[x] If handling cryptographic keys, must have a mechanism to handle quarterly key rotations
Keys used to sign sessions don't need a rotation mechanism if destroying all sessions is acceptable in case of emergency.
[x] Do not proxy requests from users without strong limitations and filtering (see Pocket UserData vulnerability). Don't proxy requests to link local, loopback, or private networks or DNS that resolves to addresses in those ranges (i.e. 169.254.0.0/16, 127.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0/12, 192.168.0.0/16, 198.18.0.0/15).
[x] Do not use target="_blank" in external links unless you also use rel="noopener noreferrer" (to prevent Reverse Tabnabbing)
A security review w/ foxsec must be initiated before this new megaphone endpoint codebase hits production.
foxsec checklist:
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.Development
nsp check
for node.js (see usage in FxA and screenshots)pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
Security Headers
/
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should benone
or only allow specific originsSecurity Features
extensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.Databases
Common issues
target="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)