Closed jvehent closed 6 years ago
The base setup already gets a B+ on the observatory so I checked the sections that already pass. Please go through the unchecked items, preferably before going live.
27/27... @jvehent @clouserw Any objections to us closing this?
I'm happy if @jvehent is happy
No objection. Thanks for going through it!
Risk Management
Infrastructure rules
strict-transport-security: max-age=31536000
Public-Key-Pins: max-age=5184000; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=";
max-age=300
) and increase progressivelyservices.mozilla.com
, it must be manually added to Firefox's preloaded pins.Coding rules
The following rules apply to all web applications: api and websites.
/__cspreport__
endpointdefault-src
tonone
, disallowing all content renderingself
, frame-src and object-src should benone
or only allow specific originsAll SQL queries must be parameterized, not concatenated (APP-SQL)Set the Secure and HTTPOnly flags on Cookies, and use sensible Expiration (APP-SECCOOKIE)For Python applications, enable pyup security updates:Applications must use accounts with limited GRANTS when connecting to databases (APP-DBPRIV)(edit) - crossed out N/A items