This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Security Code Review Cheat Sheet"
From OWASP
m |
m (→Authentication) |
||
| Line 1: | Line 1: | ||
= Authentication= | = Authentication= | ||
| − | + | == Password Complexity == | |
| − | + | == Password Rotation | |
| − | + | == Account Lockout and Failed Login == | |
| − | + | == Password Reset Functions == | |
| − | + | == Email Change and Verification Functions == | |
| − | + | == Password Storage == | |
| − | + | === Old Password Hashes === | |
| − | + | === Migration === | |
= Session Management = | = Session Management = | ||
Revision as of 04:42, 7 November 2011
Authentication
Password Complexity
== Password Rotation
Account Lockout and Failed Login
Password Reset Functions
Email Change and Verification Functions
Password Storage
Old Password Hashes
Migration
Session Management
== Session ID Length ==
== Session ID Creation ==
== Inactivity Time Out ==
== Secure Flag ==
== HTTP-Only Flag ==
== Logout ==
Access Control
== Presentation Layer ==
== Business Layer ==
== Data Layer ==
Input Validation
== Goal of Input Validation ==
== JavaScript vs Server Side Validation ==
== Positive Approach ==
== Robust Use of Input Validation ==
== Validating Rich User Content ==
== File Upload ==
Output Encoding
== Preventing XSS and Content Security Policy ==
== Preventing SQL Injection ==
== Preventing OS Injection ==
== Preventing XML Injection ==
Cross Domain Request Forgery
== Preventing CSRF ==
== Preventing Malicious Site Framing (ClickJacking) ==
== 3rd Party Scripts ==
== Connecting with Twitter, Facebook, etc ==
Secure Transmission
== When To Use SSL/TLS ==
== Don't Allow HTTP Access to Secure Pages ==
== Implement STS ==
