WebAppSec/Secure Coding Details

From MozillaWiki
Jump to: navigation, search

Author

Michael Coates - mcoates [at] mozilla.com

Introduction

This document provides code examples and links to support the secure coding guidelines document.

Status

Layout

The layout of this document will exactly follow the layout of the secure coding guidelines with the exception that this document will have a final category in each section that is language/framework specific (e.g. php, django etc). If adding a new item to this document ensure the necessary structure is in place.

Secure Coding Details

Session Management

Secure Flag

Django

Django provides built in support for setting the SECURE flag for the session id cookie. By default Django does NOT set the flag to secure

Correct Setting:

SESSION_COOKIE_SECURE = TRUE

http://docs.djangoproject.com/en/dev/topics/http/sessions/#session-cookie-secure

Cross Domain / Unintended User Actions

Preventing CSRF

Preventing Malicious Site Framing (ClickJacking)

Django

Pull in the Mozilla commonware library[1] and add it to your middleware (example [2])

[1] https://github.com/jsocol/commonware

[2] http://github.com/jbalogh/zamboni/commit/df1d19304a385c52c8fcc888f6ffc240634eb0c5

Admin Login Pages

Word Press

Force Login and Admin Pages to be SSL

Add define('FORCE_SSL_ADMIN', true); to the wp.config file.

http://codex.wordpress.org/Administration_Over_SSL#To_Force_SSL_Logins_and_SSL_Admin_Access

Force Admin Requests on HTTP to Rewrite as HTTPS

http://codex.wordpress.org/Administration_Over_SSL#Rewrite_Rules_For_The_Insecure_Host