A community-driven curated web security checklist for the paranoid and impatient web developer.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
James Mills 7f1206568d
Fix import paths
3 months ago
.gitignore Initial Commit 4 years ago
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 4 years ago
CONTRIBUTING.md Fix import paths 3 months ago
LICENSE Initial Commit 4 years ago
README.md Fix import paths 3 months ago
README.md.orig Fix import paths 3 months ago
README.md.rej Fix import paths 3 months ago

README.md

Web Security Checklist (draft)

Instructions

Please fork this repo and use as your own checklist as you develop/deploy your web application or api.

If you have hub installed:

$ git clone prologic/web-security-checklist
$ git fork

Or:

$ git clone https://git.mills.io/prologic/web-security-checklist

WARNING: This checklist makes an assumption of the level of expertise and experience of the reader and assumes significant in-depth knowledge and experience in web development.

App

Checklist for Backend<->Frontend Web Application(s)

  • Transport Security -- Protect the transport from sniffing
    • TLS/SSL
    • Redirect al HTTP requests to HTTPS
    • Use a trusted Certificate Authority such as LetsEncrypt
  • Two Factor Auth -- Helps protect against stolen user credentials
    • Expire tokens periodically -- Helps prevent stolen OTP/U2F devices
  • Session Cookies
    • Regenerate Session IDs -- Helps thwart session hijacking/replay
    • Store session state server-side -- Riskier storing state client-side
    • Set HttpOnly -- Helps mitigate successful Cross-Site Scripting attacks
    • Set Secure -- Helps mitigate against Man-In-The-Middle attacks
  • Secure IDs -- Helps thwart brute-force guesses of valid session ids
    • Cryptographic randomly generate UUIDs
  • Password Store -- Makes offline brute-force attacks much harder or impossible
    • Use a strong KDFS such as bcrypt or scrypt.
    • Unique cryptographically secure 32bit (ideally 64bit) salt per password.
    • Do not restrict length and character set or encoding.
    • Impose minimum length and complexity.
  • XSS (Cross Site Scripting)
    • Validate all untrusted inputs.
    • Escape all untrusted inputs.
  • CSRF (Cross Site Request Forgery)
    • Same Origin verification
    • CSRF Token verification

API

Checklist for Backend<->Client Web API(s)

  • TLS/SSL -- Protect the transport from sniffing.

Libraries

Recommended / Vetted libraries solving particular parts of security well. (Please contribute only libraries to this section; It is much harder to vet frameworks.)

Python

Java

Go

Resources

License

This project is licensed under the MIT License. See: LICENSE

Contributing

Please fork and submit pull-request(s) to contribute to this checklist, recommended libraries for your favourite language or external resources. See also CONTRIBUTING.md