Closed rehandalal closed 6 years ago
New service issue: https://github.com/mozilla-services/foxsec/issues/867
@psiinon I can't seem to access Security Baseline.
I get a 404 on https://github.com/mozilla-services/foxsec-results/blob/master/baseline-scan/Baseline-Services.md
@rehandalal everyone in https://github.com/orgs/mozilla-services/teams/product-delivery should be able to see it now.
Closing this as I believe we have worked through this checklist
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.Development
nsp check
for node.js (see usage in FxA and screenshots)pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
Security Headers
/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should benone
or only allow specific originsSecurity Features
extensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.Databases
Common issues
target="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)