A community-driven curated web security checklist for the paranoid and impatient web developer.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
James Mills 7f1206568d
Fix import paths
1 year ago
.gitignore Initial Commit 5 years ago
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 5 years ago
CONTRIBUTING.md Fix import paths 1 year ago
LICENSE Initial Commit 5 years ago
README.md Fix import paths 1 year ago
README.md.orig Fix import paths 1 year ago
README.md.rej Fix import paths 1 year ago


Web Security Checklist (draft)


Please fork this repo and use as your own checklist as you develop/deploy your web application or api.

If you have hub installed:

$ git clone prologic/web-security-checklist
$ git fork


$ git clone https://git.mills.io/prologic/web-security-checklist

WARNING: This checklist makes an assumption of the level of expertise and experience of the reader and assumes significant in-depth knowledge and experience in web development.


Checklist for Backend<->Frontend Web Application(s)

  • Transport Security -- Protect the transport from sniffing
    • TLS/SSL
    • Redirect al HTTP requests to HTTPS
    • Use a trusted Certificate Authority such as LetsEncrypt
  • Two Factor Auth -- Helps protect against stolen user credentials
    • Expire tokens periodically -- Helps prevent stolen OTP/U2F devices
  • Session Cookies
    • Regenerate Session IDs -- Helps thwart session hijacking/replay
    • Store session state server-side -- Riskier storing state client-side
    • Set HttpOnly -- Helps mitigate successful Cross-Site Scripting attacks
    • Set Secure -- Helps mitigate against Man-In-The-Middle attacks
  • Secure IDs -- Helps thwart brute-force guesses of valid session ids
    • Cryptographic randomly generate UUIDs
  • Password Store -- Makes offline brute-force attacks much harder or impossible
    • Use a strong KDFS such as bcrypt or scrypt.
    • Unique cryptographically secure 32bit (ideally 64bit) salt per password.
    • Do not restrict length and character set or encoding.
    • Impose minimum length and complexity.
  • XSS (Cross Site Scripting)
    • Validate all untrusted inputs.
    • Escape all untrusted inputs.
  • CSRF (Cross Site Request Forgery)
    • Same Origin verification
    • CSRF Token verification


Checklist for Backend<->Client Web API(s)

  • TLS/SSL -- Protect the transport from sniffing.


Recommended / Vetted libraries solving particular parts of security well. (Please contribute only libraries to this section; It is much harder to vet frameworks.)






This project is licensed under the MIT License. See: LICENSE


Please fork and submit pull-request(s) to contribute to this checklist, recommended libraries for your favourite language or external resources. See also CONTRIBUTING.md