This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Secure Coding Cheat Sheet"

Jump to: navigation, search
(Secure Deployment)
(Security Misconfigurations)
Line 91: Line 91:
== Security Misconfigurations ==
* Diable all the services, ports, protocols and daemons that are not required.
* Change all the default and vendor supplied passwords
* Protect servers by grouping all similar functions into a VLAN
* White wash error messages such that no internal workings are revealed
* Prevent stack traces from leaving the container.
* Authorising access to the least amount of data/ least number of pages that is possible
== Insecure Direct Object references ==
== Insecure Direct Object references ==

Revision as of 16:14, 8 January 2016



The goal of this document is to create high level guideline for secure coding practices. The goal is to keep the overall size of the document condensed and easy to digest. Individuals seeking addition information on the specific areas should refer to the included links to learn more.

How To Use This Document

The information listed below are generally acceptable secure coding practices; however, it is recommend that organizations consider this a base template and update individual sections with secure coding recommendations specific to the organization's policies and risk tolerance.

Secure Coding Policy

Always maintain a secure coding policy. List down the activities that are related to maintenance of secure coding standards (would these standards be technology specific or technology agnostic), feedback of code review output to training, input data validation, output data validation etc

Why should you be having a secure coding policy? It helps in maintaining consistency across organisation and helps in vertical and horizontal scaling of usage of standards for web development projects.


User Authentication

Please see

Password Complexity

For more information on password complexity, please see

Session Management

Access Control

Input Data Validation

Output Encoding

Please see

Secure Transmission / Network Layer security

Please see

File Uploads

Please see

Error Handling

Please see

Logging and Auditing

Please see


Please see

Cookie Management

Please see

Secure Deployment

Please see

Unvalidated Redirects and Forwards Cheat Sheet

Common Vulnerabilities

SQL Injection

Please see

Cross Site Scripting

Cross Site Request Forgery

Preventing Malicious Site Framing (ClickJacking)

Insecure Direct Object references

Directory Listing

  • Do not enable Directory Listing on your server

Concurrancy and Race Conditions

  • Use a locking mechanism to lock shared resources
  • Obtain a lock on shared resources before it is read


OWASP Cheat Sheets Project Homepage