This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Transport Layer Protection Cheat Sheet
From OWASP
Revision as of 02:20, 6 October 2009 by MichaelCoates (talk | contribs) (wrote skeleton of document)
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Secure Server Design
- 2.1.1 Rule - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.2 Rule - Use SSL on Any Networks (External and Internal) Transmiting Sensitive Data
- 2.1.3 Rule - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.4 Rule - Do Not Perform Redirects from Non-SSL Page to SSL Login Page
- 2.1.5 Rule - Do Not Mix SSL and Non-SSL Content
- 2.1.6 Rule - Use "Secure" Cookie Flag
- 2.2 Server Certificate & Protocol Configuration
- 2.2.1 Rule - Use an Appropriate Certificate Authority for the Application's User Base
- 2.2.2 Rule - Only Support Strong Cryptographic Algorithms
- 2.2.3 Rule - Only Support Strong Protocols
- 2.2.4 Rule - Establish a Strong Private Key for the Server
- 2.2.5 Rule - Use a Certificate That Supports All Available Domain Names
- 2.3 Client Configuration
- 2.4 Additional Controls
- 2.1 Secure Server Design
Introduction
Benefits
- Confidentiality
- Integrity
- Replay Protection
- End Point Authentication
