This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Transport Layer Protection Cheat Sheet"
From OWASP
(wrote skeleton of document) |
(→Rules for Transport Layer Protection) |
||
| Line 10: | Line 10: | ||
*End Point Authentication | *End Point Authentication | ||
| − | = Rules for | + | = Rules for VPN<br> = |
| + | |||
| + | |||
| + | = Rules for SSL/TLS<br> = | ||
== Secure Server Design <br> == | == Secure Server Design <br> == | ||
Revision as of 22:00, 7 October 2009
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for VPN
- 3 Rules for SSL/TLS
- 3.1 Secure Server Design
- 3.1.1 Rule - Use SSL for All Login Pages and All Authenticated Pages
- 3.1.2 Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 3.1.3 Rule - Do Not Provide Non-SSL Pages for Secure Content
- 3.1.4 Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page
- 3.1.5 Rule - Do Not Mix SSL and Non-SSL Content
- 3.1.6 Rule - Use "Secure" Cookie Flag
- 3.2 Server Certificate & Protocol Configuration
- 3.2.1 Rule - Use an Appropriate Certificate Authority for the Application's User Base
- 3.2.2 Rule - Only Support Strong Cryptographic Algorithms
- 3.2.3 Rule - Only Support Strong Protocols
- 3.2.4 Rule - Establish a Strong Private Key for the Server
- 3.2.5 Rule - Use a Certificate That Supports All Available Domain Names
- 3.3 Client Configuration
- 3.4 Additional Controls
- 3.1 Secure Server Design
Introduction
Benefits
- Confidentiality
- Integrity
- Replay Protection
- End Point Authentication
