This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transport Layer Protection Cheat Sheet"
From OWASP
(→Rules for Transport Layer Protection) |
m |
||
| Line 1: | Line 1: | ||
| − | Page is under | + | Page is under construction - [email protected]<br> |
= Introduction = | = Introduction = | ||
| + | |||
| + | == Architectural Decision == | ||
| + | |||
| + | = Rules for VPN<br> = | ||
| + | |||
| + | |||
| + | = Rules for SSL/TLS<br> = | ||
== Benefits == | == Benefits == | ||
| Line 10: | Line 17: | ||
*End Point Authentication | *End Point Authentication | ||
| − | = | + | == SSL vs TLS == |
| − | |||
| − | |||
| − | |||
== Secure Server Design <br> == | == Secure Server Design <br> == | ||
Revision as of 22:01, 7 October 2009
Page is under construction - [email protected]
- 1 Introduction
- 2 Rules for VPN
- 3 Rules for SSL/TLS
- 3.1 Benefits
- 3.2 SSL vs TLS
- 3.3 Secure Server Design
- 3.3.1 Rule - Use SSL for All Login Pages and All Authenticated Pages
- 3.3.2 Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 3.3.3 Rule - Do Not Provide Non-SSL Pages for Secure Content
- 3.3.4 Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page
- 3.3.5 Rule - Do Not Mix SSL and Non-SSL Content
- 3.3.6 Rule - Use "Secure" Cookie Flag
- 3.4 Server Certificate & Protocol Configuration
- 3.4.1 Rule - Use an Appropriate Certificate Authority for the Application's User Base
- 3.4.2 Rule - Only Support Strong Cryptographic Algorithms
- 3.4.3 Rule - Only Support Strong Protocols
- 3.4.4 Rule - Establish a Strong Private Key for the Server
- 3.4.5 Rule - Use a Certificate That Supports All Available Domain Names
- 3.5 Client Configuration
- 3.6 Additional Controls
Introduction
Architectural Decision
Rules for VPN
Rules for SSL/TLS
Benefits
- Confidentiality
- Integrity
- Replay Protection
- End Point Authentication
