||1 year ago|
|.gitignore||5 years ago|
|CODE_OF_CONDUCT.md||5 years ago|
|CONTRIBUTING.md||1 year ago|
|LICENSE||5 years ago|
|README.md||1 year ago|
|README.md.orig||1 year ago|
|README.md.rej||1 year ago|
Web Security Checklist (draft)
Please fork this repo and use as your own checklist as you develop/deploy your web application or api.
If you have hub installed:
$ git clone prologic/web-security-checklist $ git fork
$ git clone https://git.mills.io/prologic/web-security-checklist
WARNING: This checklist makes an assumption of the level of expertise and experience of the reader and assumes significant in-depth knowledge and experience in web development.
Checklist for Backend<->Frontend Web Application(s)
- Transport Security -- Protect the transport from sniffing
- Redirect al HTTP requests to HTTPS
- Use a trusted Certificate Authority such as LetsEncrypt
- Two Factor Auth -- Helps protect against stolen user credentials
- Expire tokens periodically -- Helps prevent stolen OTP/U2F devices
- Session Cookies
- Regenerate Session IDs -- Helps thwart session hijacking/replay
- Store session state server-side -- Riskier storing state client-side
HttpOnly-- Helps mitigate successful Cross-Site Scripting attacks
Secure-- Helps mitigate against Man-In-The-Middle attacks
- Secure IDs -- Helps thwart brute-force guesses of valid session ids
- Cryptographic randomly generate UUIDs
- Password Store -- Makes offline brute-force attacks much harder or impossible
- Use a strong KDFS such as bcrypt or scrypt.
- Unique cryptographically secure 32bit (ideally 64bit) salt per password.
- Do not restrict length and character set or encoding.
- Impose minimum length and complexity.
- XSS (Cross Site Scripting)
- Validate all untrusted inputs.
- Escape all untrusted inputs.
- CSRF (Cross Site Request Forgery)
- Same Origin verification
- CSRF Token verification
Checklist for Backend<->Client Web API(s)
- TLS/SSL -- Protect the transport from sniffing.
Recommended / Vetted libraries solving particular parts of security well. (Please contribute only libraries to this section; It is much harder to vet frameworks.)
This project is licensed under the MIT License. See: LICENSE
Please fork and submit pull-request(s) to contribute to this checklist, recommended libraries for your favourite language or external resources. See also CONTRIBUTING.md