Comments (11)
@jvehent - Do we need to add greenkeeper, or are the GitHub Security Alerts for vulnerable dependencies good enough?
from blurts-server.
The github security alerts are good enough.
from blurts-server.
Semi-related, but we've been starting to use Renovate as an alternative to Greenkeeper in some projects lately, as it allows you to schedule when you want PRs [so your PR queue doesn't get flooded].
You can see a sample config in https://github.com/mozilla/watchdog-proxy/blob/master/renovate.json
from blurts-server.
Note that in the latest checklist under
Security Features
We've added SameSite cookies:
- Session cookies must have HttpOnly and Secure flags set and the SameSite attribute set to 'strict' or 'lax' (which allows external regular links to login).
I'd update the first comment but it doesnt look like I have the right perms :)
from blurts-server.
For Info the I've added the service to the daily baseline scan and the results (for those with the relevant perms) are here: https://github.com/mozilla-services/foxsec-results/blob/master/baseline-scan/Firefox-Monitor-Summary.md
Its currently failing on a missing anti CSRF token, which is probably and FP, but its also missing the SameSite flag on the session cookie, which would be really good to add.
from blurts-server.
hi @psiinon, can I get credentials to see the daily baseline scan results? thanks!
from blurts-server.
Hi @lesleyjanenorton - you should have access to them now.
Let me know if you have any problems or questions.
from blurts-server.
Our latest baseline failures seem to be caused by the AWSELB
cookie served with Secure
and HttpOnly
flags? @psiinon can you help us debug that or let us know if we can ignore those 2 fails?
from blurts-server.
@jvehent @psiinon - I have not started the process to add firefox.monitor.com to Firefox pre-loaded HPKP pins. I'm too afraid of HPKP suicide to start or rush it now. Is it okay to do that later?
from blurts-server.
@groovecoder if you're talking about the HPKP header, we dropped the recommendation for that from the checklist https://github.com/mozilla-services/foxsec/commit/12faf78319c2cd63161a973b45333b9eefb7ba22 (the wiki might not have been up to date when this bug was created)
Also, re: updating the baseline config for AWS LB cookies, Simon is on PTO and will be back next Wednesday.
from blurts-server.
Verified with ops that we're keeping logs for 90 days. Filed #464 for adding app-specific log codes.
from blurts-server.
Related Issues (20)
- Element `img` is missing required attribute `src` HOT 1
- The `main` element must not appear as a descendant of the `main` element.
- Stray end tag `input`.
- Nav Toggle button may need aria-label
- Standarize close/dismiss buttons
- Prettier Formatting / Cleanup All TS/JS files HOT 1
- Add lint:ts to lint targets in package.json (in nextjs branch)? HOT 1
- Add eslint-plugin-import plugin? HOT 1
- Update Coverage Badge in README HOT 2
- The title does not fit to the body in the result page HOT 1
- Localization issues in premium.ftl HOT 4
- Caz
- Update channels to match with nimbus ids HOT 1
- Poor JPEG images received at monitor.firefox.com when visitng with WebP accept header stripped HOT 2
- src/db/tables/featureFlags.ts uses `modified_at` whereas other tables use `updated_at`
- Non localizable string and placeholder issues in dashboard HOT 4
- Text overlap in landing page image (long localized category name)
- Style issue with hero image on new Mozilla Monitor home page (with long word; i18n)
- Gd
- Ganz
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from blurts-server.