Difference between revisions of "Projects/OWASP Framework Matrix"
From OWASP
| (2 intermediate revisions by the same user not shown) | |||
| Line 9: | Line 9: | ||
| align="center" style="background:#f0f0f0;"|'''Under Development?''' | | align="center" style="background:#f0f0f0;"|'''Under Development?''' | ||
| align="center" style="background:#f0f0f0;"|'''Contact Point''' | | align="center" style="background:#f0f0f0;"|'''Contact Point''' | ||
| + | |- | ||
| + | | || Automatic escaping in templates || || || || || | ||
| + | |- | ||
| + | | || Prepared statements (including ORM) || || || || || | ||
|- | |- | ||
| Django||x-frame-options||Present||No||[https://docs.djangoproject.com/en/dev/ref/clickjacking/#setting-x-frame-options-for-all-responses link]||n/a||n/a | | Django||x-frame-options||Present||No||[https://docs.djangoproject.com/en/dev/ref/clickjacking/#setting-x-frame-options-for-all-responses link]||n/a||n/a | ||
| Line 15: | Line 19: | ||
|- | |- | ||
| Django||HTTPOnly Cookie Flag||?||?||[# link]||?||? | | Django||HTTPOnly Cookie Flag||?||?||[# link]||?||? | ||
| + | |- | ||
| + | | Rails||Automatic CSRF protection||Present||Yes||[http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf link]||n/a||n/a | ||
| + | |- | ||
| + | | || Offsite redirect detection/prevention || || || || || | ||
| + | |- | ||
| + | | || javascript: URIs in links || || || || || | ||
| + | |- | ||
| + | | || Error suppression in production environments || || || || || | ||
| + | |- | ||
| + | | || Mask sensitive data in logs || || || || || | ||
| + | |- | ||
| + | | || Encryption abstractions || || || || || | ||
| + | |- | ||
| + | | || Strict transport security || || || || || | ||
| + | |- | ||
| + | | || Content security policy || || || || || | ||
|} | |} | ||
Latest revision as of 17:09, 15 September 2013
Note: This page is a template part of the OWASP Framework Security Project. Edit this page here
| Framework | Security Control | Present / Not Present | Enabled By Default | Link to more info | Under Development? | Contact Point |
| Automatic escaping in templates | ||||||
| Prepared statements (including ORM) | ||||||
| Django | x-frame-options | Present | No | link | n/a | n/a |
| Django | SECURE Cookie Flag | Present | No | link | n/a | n/a |
| Django | HTTPOnly Cookie Flag | ? | ? | [# link] | ? | ? |
| Rails | Automatic CSRF protection | Present | Yes | link | n/a | n/a |
| Offsite redirect detection/prevention | ||||||
| javascript: URIs in links | ||||||
| Error suppression in production environments | ||||||
| Mask sensitive data in logs | ||||||
| Encryption abstractions | ||||||
| Strict transport security | ||||||
| Content security policy |
