Final security pass

[ozten]

from https://bugzilla.mozilla.org/show_bug.cgi?id=867489

• [x] implement cef logging
• [ ] route cef logging into sec ops team
• [x] application level wrong password throttling
• [x] final code review as per https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
• [x] certificate duration to be 5 minutes
• [x] session duration to be 1 day
• [x] implement CSP headers
• [x] implement STS headers

[lloyd]

Review of https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

Authentication Attacks: authentication throttling is present in the application to mitigate online brute force. No passwords are held by the app for offline attacks (it's a proxy to ldap)

Password Complexity dictated by LDAP, not a concern.

Account Lockout and Failed Login : We return a neutral message upon account lockout. A usability loss, but conforming to security guidelines.

Password Reset Functions: no such page

Password Storage: we don't

Session handling: 1 day duration, encrypted. httpOnly specified. secure (ssl-only) cookies in use.

That's the first half ... to be continued.

[lloyd]

Input Validation: requires a code audit. forthcoming

CSRF: implemented and unit tested

X-Frame-Options: implemented and unit tested (see attached pull request)

Transport Security: all pages only available over SSL.

CSP: not yet implemented, adding a checkbox to investigate.

STS: not yet implemented, adding a checkbox to investigate

Logging: cef logging implemented, only PII ever logged to server logs are email addresses

Uploads: not applicable.

Admin pages: there are none - not applicable.

Error messages: no stacks or dynamic information is returned from the server.

Complete! added a couple checkboxes for the two items that came up and were not fixed as part of performing the code / security review.

[lloyd]

all issues are addressed except routing CEF logging into mozilla's secops team. opening a new distinct issue for that and closing this down.