This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transport Layer Protection Cheat Sheet"
From OWASP
(Page Creatoin) |
m |
||
| Line 1: | Line 1: | ||
| − | + | Page is under contruction - [email protected]<br> | |
| − | == | + | = Introduction = |
| − | |||
| − | + | == Benefits == | |
| − | + | Confidentiality | |
| − | + | Integrity | |
| − | + | Replay Protection | |
| − | + | End Point Authentication | |
| − | = | + | = Rules for Transport Layer Protection<br> = |
| − | == | + | == Server Configuration<br> == |
| − | == | + | === Architecture & Design === |
| − | + | === Rule #1 - Use SSL for All Login Pages and All Authenticated Pages<br> === | |
| − | + | === Rule #2 - Use SSL on Networks (External and Internal) Transmiting Sensitive Data<br> === | |
| − | Revocation List Checking | + | === Rule #3 - Do Not Provide Non-SSL Pages for Secure Content<br> === |
| + | |||
| + | === Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page === | ||
| + | |||
| + | === Rule #5 - Do Not Mix SSL and Non-SSL Content === | ||
| + | |||
| + | |||
| + | |||
| + | === Certificate & Protocol Configuration === | ||
| + | |||
| + | Configuration | ||
| + | |||
| + | === Certificate Considerations === | ||
| + | |||
| + | == Client Configuration == | ||
| + | |||
| + | Certificate Validation | ||
| + | |||
| + | Trusted Root Store | ||
| + | |||
| + | Revocation List Checking | ||
== Additional Controls == | == Additional Controls == | ||
Revision as of 01:24, 6 October 2009
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Server Configuration
- 2.1.1 Architecture & Design
- 2.1.2 Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.3 Rule #2 - Use SSL on Networks (External and Internal) Transmiting Sensitive Data
- 2.1.4 Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.5 Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
- 2.1.6 Rule #5 - Do Not Mix SSL and Non-SSL Content
- 2.1.7 Certificate & Protocol Configuration
- 2.1.8 Certificate Considerations
- 2.2 Client Configuration
- 2.3 Additional Controls
- 2.1 Server Configuration
Introduction
Benefits
Confidentiality
Integrity
Replay Protection
End Point Authentication
Rules for Transport Layer Protection
Server Configuration
Architecture & Design
Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
Rule #2 - Use SSL on Networks (External and Internal) Transmiting Sensitive Data
Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
Rule #5 - Do Not Mix SSL and Non-SSL Content
Certificate & Protocol Configuration
Configuration
Certificate Considerations
Client Configuration
Certificate Validation
Trusted Root Store
Revocation List Checking
