This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Security Code Review Cheat Sheet"

From OWASP
Jump to: navigation, search
m (Session Management)
m
Line 18: Line 18:
  
 
= Access Control =
 
= Access Control =
        == Presentation Layer ==
+
== Presentation Layer ==
        == Business Layer ==
+
== Business Layer ==
        == Data Layer ==
+
== Data Layer ==
  
 
= Input Validation =
 
= Input Validation =
        == Goal of Input Validation ==
+
== Goal of Input Validation ==
        == JavaScript vs Server Side Validation ==
+
== JavaScript vs Server Side Validation ==
        == Positive Approach ==
+
== Positive Approach ==
        == Robust Use of Input Validation ==
+
== Robust Use of Input Validation ==
        == Validating Rich User Content ==
+
== Validating Rich User Content ==
        == File Upload ==
+
== File Upload ==
  
 
= Output Encoding =
 
= Output Encoding =
        == Preventing XSS and Content Security Policy ==
+
== Preventing XSS and Content Security Policy ==
        == Preventing SQL Injection ==
+
== Preventing SQL Injection ==
        == Preventing OS Injection ==
+
== Preventing OS Injection ==
        == Preventing XML Injection ==
+
== Preventing XML Injection ==
  
 
= Cross Domain Request Forgery =
 
= Cross Domain Request Forgery =
        == Preventing CSRF ==
+
== Preventing CSRF ==
        == Preventing Malicious Site Framing (ClickJacking) ==
+
== Preventing Malicious Site Framing (ClickJacking) ==
        == 3rd Party Scripts ==
+
== 3rd Party Scripts ==
        == Connecting with Twitter, Facebook, etc ==
+
== Connecting with Twitter, Facebook, etc ==
  
 
= Secure Transmission =
 
= Secure Transmission =
        == When To Use SSL/TLS ==
+
== When To Use SSL/TLS ==
        == Don't Allow HTTP Access to Secure Pages ==
+
== Don't Allow HTTP Access to Secure Pages ==
        == Implement STS ==
+
== Implement STS ==

Revision as of 04:43, 7 November 2011

Authentication

Password Complexity

== Password Rotation

Account Lockout and Failed Login

Password Reset Functions

Email Change and Verification Functions

Password Storage

Old Password Hashes

Migration

Session Management

Session ID Length

Session ID Creation

Inactivity Time Out

Secure Flag

HTTP-Only Flag

Logout

Access Control

Presentation Layer

Business Layer

Data Layer

Input Validation

Goal of Input Validation

JavaScript vs Server Side Validation

Positive Approach

Robust Use of Input Validation

Validating Rich User Content

File Upload

Output Encoding

Preventing XSS and Content Security Policy

Preventing SQL Injection

Preventing OS Injection

Preventing XML Injection

Cross Domain Request Forgery

Preventing CSRF

Preventing Malicious Site Framing (ClickJacking)

3rd Party Scripts

Connecting with Twitter, Facebook, etc

Secure Transmission

When To Use SSL/TLS

Don't Allow HTTP Access to Secure Pages

Implement STS

Retrieved from "https://wiki.owasp.org/index.php?title=Security_Code_Review_Cheat_Sheet&oldid=119826"