Appearance
Security
This section of the guidelines documents some of our best practices to work securely.
Passwords
- All passwords should be stored in LastPass
- All passwords should be unique, no password can be reused
- Two-factor authentication (via Google Authenticator) should be used if a service supports that
Applications
- All HTTP traffic should be sent over SSL
- Routes performing a significant action (delete, update, ...) should use the appropriate HTTP method (
DELETE,POST,PUT- notGET) - When a route uses authentication/authorization, automated tests should be added to test that only authenticated/authorized users can use certain (important) functionality
Database
- All stored passwords should be hashed
- All API keys should be stored in
.envfile - The database should be only accessible from whitelisted hosts (from the web/app server)
Servers
- Should use SSH with private key authentication, password authentication is disabled
unattended-upgradespackage should be installed and enabled for security updates- Firewall should be configured to only allow relevant traffic (generally ports 22 and 443)
Misc
- All developers using macOS should have FileVault enabled
- Do not use public searchable services like Pastebin or gist to share sensitive code or data
- Do not use any browser extensions that can track typed keys, passwords or browser history