Closed ianb closed 4 years ago
Once we're in production, we'll start checking off this list.
@jbuck once you have the deploys done, can you hit the ops stuff on this list? Thank you
@jvehent Hey, I've done a first pass through some of the dev items on this list, while some of the others don't really apply, and yet others will take some work. Are there any items that are higher priority, and which we'd definitely want to finish up before an initial release of the payments / subscription server?
The value for HSTS max-age is 15552000 across all the FxA packages. It's also the currently value in prod accounts.firefox.com. It's easy to update it for the payments server, but the inconsistency is going to make me sad.
@jrgm What are the URLs for staging and production? I'd like to update our metadata.
Remaining issues:
Thanks @jvehent . I filed #2649 and #2650 to track those last two and will close this giant list. :+1:
I'll file a bug against observatory and link it to #2650.
I'm not sure this is a bug in observatory. curl returns the same results:
$ curl -si https://subscriptions.firefox.com/ |grep strict-transport-security
strict-transport-security: max-age=31536000; includeSubDomains
strict-transport-security: max-age=31536000
strict-transport-security: max-age=31536000
@jvehent Yup, thanks. I was just puzzling over a number of repeated headers in the raw curl output, digging in the curl manual to make sure I wasn't missing an argument
Risk Management
Infrastructure
strict-transport-security: max-age=31536000
services.mozilla.com
, it must be manually added to Firefox's preloaded pins. This only applies to production services, not short-lived experiments.X-Forwarded-For
to all back-end services.Development
npm audit
with audit-filter to review and handle exceptions (see example in speech-proxy)pip list --outdated
or requires.io or pyup outdated checkscargo update
and cargo upgrade when changing versionsDual Sign Off
Logging
Web Applications
/__cspreport__
endpointdefault-src 'none'; frame-ancestors 'none'; base-uri 'none'; report-uri /__cspreport__
to disallowing all content rendering, framing, and report violationsnone
, frame-src, and object-src should benone
or only allow specific originsSecurity Features
extensions.webextensions.restrictedDomains
. This will prevent a malicious extension from being able to steal sensitive information from it, see bug 1415644.Databases
Common issues
target="_blank"
in external links unless you also userel="noopener noreferrer"
(to prevent Reverse Tabnabbing)(This is a copy of the checklist from #741)