WebAppSec/Secure Coding Details
Contents
Author
Michael Coates - mcoates [at] mozilla.com
Introduction
This document provides code examples and links to support the secure coding guidelines document.
Status
Layout
The layout of this document will exactly follow the layout of the secure coding guidelines with the exception that this document will have a final category in each section that is language/framework specific (e.g. php, django etc). If adding a new item to this document ensure the necessary structure is in place.
Secure Coding Details
Session Management
Secure Flag
Django
Django provides built in support for setting the SECURE flag for the session id cookie. By default Django does NOT set the flag to secure
Correct Setting:
SESSION_COOKIE_SECURE = TRUE
http://docs.djangoproject.com/en/dev/topics/http/sessions/#session-cookie-secure
Cross Domain / Unintended User Actions
Preventing CSRF
Preventing Malicious Site Framing (ClickJacking)
Django
Pull in the Mozilla commonware library[1] and add it to your middleware (example [2])
[1] https://github.com/jsocol/commonware
[2] http://github.com/jbalogh/zamboni/commit/df1d19304a385c52c8fcc888f6ffc240634eb0c5
Admin Login Pages
Word Press
Force Login and Admin Pages to be SSL
Add define('FORCE_SSL_ADMIN', true); to the wp.config file.
http://codex.wordpress.org/Administration_Over_SSL#To_Force_SSL_Logins_and_SSL_Admin_Access
Force Admin Requests on HTTP to Rewrite as HTTPS
http://codex.wordpress.org/Administration_Over_SSL#Rewrite_Rules_For_The_Insecure_Host