Mozilla’s Secure Coding Guidelines for Web Applications

Mozilla recently released their guidelines for coding secure web applications. The guidelines include areas such as:

  • Authentication
    • which includes: Password complexity (must be 8 characters or longer with letters and numbers)
    • Password rotation (90-120 days for privileged accounts)
    • Password storage (stored passwords such be salted using the the hmac+bcrypt function)
  • Session management
    • Session tokens (should be 128 bit or greater)
  • Access Control guidelines
  • Input validation
  • Output Encoding
  • Cross Domain
  • Secure Transmission
  • Content Security Policy
  • Logging
  • Admin Login Pages
  • Uploads
  • Error Handling

Source for more detail: