This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Transport Layer Protection Cheat Sheet
From OWASP
Revision as of 01:24, 6 October 2009 by MichaelCoates (talk | contribs)
Page is under contruction - [email protected]
- 1 Introduction
- 2 Rules for Transport Layer Protection
- 2.1 Server Configuration
- 2.1.1 Architecture & Design
- 2.1.2 Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
- 2.1.3 Rule #2 - Use SSL on Networks (External and Internal) Transmiting Sensitive Data
- 2.1.4 Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
- 2.1.5 Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
- 2.1.6 Rule #5 - Do Not Mix SSL and Non-SSL Content
- 2.1.7 Certificate & Protocol Configuration
- 2.1.8 Certificate Considerations
- 2.2 Client Configuration
- 2.3 Additional Controls
- 2.1 Server Configuration
Introduction
Benefits
Confidentiality
Integrity
Replay Protection
End Point Authentication
Rules for Transport Layer Protection
Server Configuration
Architecture & Design
Rule #1 - Use SSL for All Login Pages and All Authenticated Pages
Rule #2 - Use SSL on Networks (External and Internal) Transmiting Sensitive Data
Rule #3 - Do Not Provide Non-SSL Pages for Secure Content
Rule #4 - Do Not Perform Redirectsfrom Non-SSL Login to SSL Login Page
Rule #5 - Do Not Mix SSL and Non-SSL Content
Certificate & Protocol Configuration
Configuration
Certificate Considerations
Client Configuration
Certificate Validation
Trusted Root Store
Revocation List Checking