This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "User talk:Mohammed ALDOUB"
Line 37: | Line 37: | ||
1- [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Cryptographic Storage Cheat Sheet] | 1- [https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet Cryptographic Storage Cheat Sheet] | ||
+ | |||
2- [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet] | 2- [https://www.owasp.org/index.php/Authentication_Cheat_Sheet Authentication Cheat Sheet] | ||
+ | |||
3- [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet] | 3- [https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet Transport Layer Protection Cheat Sheet] | ||
+ | |||
4- [https://www.owasp.org/index.php/Guide_to_Cryptography Guide to Cryptography] | 4- [https://www.owasp.org/index.php/Guide_to_Cryptography Guide to Cryptography] | ||
+ | |||
5- [https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for TLS/SSL] | 5- [https://www.owasp.org/index.php/Testing_for_SSL-TLS_%28OWASP-CM-001%29 Testing for TLS/SSL] | ||
+ | |||
+ | |||
+ | == Support HTTP Strict Transport Security == | ||
+ | |||
+ | HTTP Strict Transport Security (HSTS) is an HTTP header set by the server indicating to the user agent that only secure (HTTPS) connections are accepted, prompting the user agent to change all insecure HTTP links to secure HTTPS ones, and also forcing the compliant user agent to fail-safe by refusing any TLS/SSL connection that is not trusted by the user. | ||
+ | |||
+ | HSTS has average support on popular user agent, such as Mozilla Firefox and Google Chrome. Nevertheless, it remains very useful for users who are in consistent fear of spying and [https://www.owasp.org/index.php/Man-in-the-middle_attack Man in the Middle Attacks]. | ||
+ | |||
+ | For more details regarding HSTS, please visit: | ||
+ | |||
+ | 1- [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HTTP Strict Transport Security in Wikipedia] | ||
+ | |||
+ | 2- [https://tools.ietf.org/html/draft-ietf-websec-strict-transport-sec-11 IETF Draft for HSTS] |
Revision as of 21:13, 7 August 2012
Welcome to OWASP! We hope you will contribute much and well. You will probably want to read the help pages. Again, welcome and have fun! KateHartmann 11:26, 31 May 2012 (UTC)
Testing
Hello, I'm testing. If you see this, please say Hello World
User Legal and Political Protection Cheat Sheet
Introduction
The political and legal impact of online activities has been rising significantly over the years, with users now able to take down entire governments and change legislation using online services and social networking. This fact puts into focus the grave danger users are getting introduced to by using these online services, especially in oppressive regions around the world.
This OWASP Cheat Sheet introduces risks and mitigations that web developers need to realize in order to protect their users from a vast array of potential aggressors, including oppressive governments and organized crime rings around the world.
Scope of Threats
An array of potential threats surrounds online users, and this cheat sheet focuses on political and legal threats that users might face by using these online services, especially social networking and communication platforms. The various reports of imprisonments and even execution for users in some parts of the world simply for using online services must be taken seriously by web developers.
Guidelines
1- Strong Cryptography:
Any online platform that handles user identities, private information or communications must be secured with the use of strong cryptography. User communications must be encrypted in transit and storage. User secrets such as passwords must also be protected using strong, collision-resistant hashing algorithms with increasing work factors, in order to greatly mitigate the risks of exposed credentials as well as proper integrity control.
To protect data in transit, developers must use and adhere to TSL/SSL best practices such as verified certificates, adequately protected private keys, usage of strong ciphers only, informative and clear warnings to users, as well as sufficient key lengths.
Private data must be encrypted in storage as well, using keys with sufficient lengths and under strict access conditions, both technical and procedural. User credentials must be hashed regardless of whether or not they are encrypted in storage.
For detailed guides about strong cryptography and best practices, read the following OWASP references:
1- Cryptographic Storage Cheat Sheet
3- Transport Layer Protection Cheat Sheet
Support HTTP Strict Transport Security
HTTP Strict Transport Security (HSTS) is an HTTP header set by the server indicating to the user agent that only secure (HTTPS) connections are accepted, prompting the user agent to change all insecure HTTP links to secure HTTPS ones, and also forcing the compliant user agent to fail-safe by refusing any TLS/SSL connection that is not trusted by the user.
HSTS has average support on popular user agent, such as Mozilla Firefox and Google Chrome. Nevertheless, it remains very useful for users who are in consistent fear of spying and Man in the Middle Attacks.
For more details regarding HSTS, please visit: