This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Security Code Review Cheat Sheet"
From OWASP
m (→Authentication) |
m (→Session Management) |
||
| Line 10: | Line 10: | ||
= Session Management = | = Session Management = | ||
| − | + | == Session ID Length == | |
| − | + | == Session ID Creation == | |
| − | + | == Inactivity Time Out == | |
| − | + | == Secure Flag == | |
| − | + | == HTTP-Only Flag == | |
| − | + | == Logout == | |
= Access Control = | = Access Control = | ||
Revision as of 04:42, 7 November 2011
Authentication
Password Complexity
== Password Rotation
Account Lockout and Failed Login
Password Reset Functions
Email Change and Verification Functions
Password Storage
Old Password Hashes
Migration
Session Management
Session ID Length
Session ID Creation
Inactivity Time Out
Secure Flag
HTTP-Only Flag
Logout
Access Control
== Presentation Layer ==
== Business Layer ==
== Data Layer ==
Input Validation
== Goal of Input Validation ==
== JavaScript vs Server Side Validation ==
== Positive Approach ==
== Robust Use of Input Validation ==
== Validating Rich User Content ==
== File Upload ==
Output Encoding
== Preventing XSS and Content Security Policy ==
== Preventing SQL Injection ==
== Preventing OS Injection ==
== Preventing XML Injection ==
Cross Domain Request Forgery
== Preventing CSRF ==
== Preventing Malicious Site Framing (ClickJacking) ==
== 3rd Party Scripts ==
== Connecting with Twitter, Facebook, etc ==
Secure Transmission
== When To Use SSL/TLS ==
== Don't Allow HTTP Access to Secure Pages ==
== Implement STS ==
