Closed ozten closed 11 years ago
Review of https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines
Authentication Attacks: authentication throttling is present in the application to mitigate online brute force. No passwords are held by the app for offline attacks (it's a proxy to ldap)
Password Complexity dictated by LDAP, not a concern.
Account Lockout and Failed Login : We return a neutral message upon account lockout. A usability loss, but conforming to security guidelines.
Password Reset Functions: no such page
Password Storage: we don't
Session handling: 1 day duration, encrypted. httpOnly specified. secure (ssl-only) cookies in use.
That's the first half ... to be continued.
Input Validation: requires a code audit. forthcoming
CSRF: implemented and unit tested
X-Frame-Options: implemented and unit tested (see attached pull request)
Transport Security: all pages only available over SSL.
CSP: not yet implemented, adding a checkbox to investigate.
STS: not yet implemented, adding a checkbox to investigate
Logging: cef logging implemented, only PII ever logged to server logs are email addresses
Uploads: not applicable.
Admin pages: there are none - not applicable.
Error messages: no stacks or dynamic information is returned from the server.
Complete! added a couple checkboxes for the two items that came up and were not fixed as part of performing the code / security review.
all issues are addressed except routing CEF logging into mozilla's secops team. opening a new distinct issue for that and closing this down.
from https://bugzilla.mozilla.org/show_bug.cgi?id=867489