Closed bbangert closed 5 years ago
You might want to go through this, though I expect most of it will not apply to this project, so just cross it off or mark it as done.
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins.pip list --outdated
or requires.io too/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should be none
or only allow specific originstarget="_blank"
in external links unless you also use rel="noopener noreferrer"
(to prevent Reverse Tabnabbing)This is blocked on pushbox being 'complete'.
any update?
I believe we are waiting till rustbox is ready, as that will be the final prod version, not the AWS serverless one.
@jrconlin what followup do we need on this issue now that things are ready for prod?
Going to go through the checklist this morning, then see about getting it scheduled for review. If you like, you can add it to any new FxA service review you're doing, or I can keep it separate.
Added Risk Record bug
Closing as complete. No additional actions requested by OpSec.
When pushbox is ready to go to prod, it needs a security review. Correlating privatesec-review issue: