Web Security Checklist (draft)

WSC.md

Web Security Checklist (draft)

Instructions

Please fork this gist and use as your own checklist as you develop/deploy your web application or api.

WARNING: This checklist makes an assumption of the level of expertise and experience of the reader and assumes significant in-depth knowledge and experience in web development.

App

Checklist for Backend<->Frontend Web Application(s)

• TLS/SSL -- Protect the transport from sniffing.
• Regenerate Session IDs -- Helps thwart session hijacking/replay.
• Store session state server-side -- Riskier storing state client-side.
• Secure Session IDs -- Helps twart brute-force guesses of valid session ids.
  • Cryptographic randomoly generate UUIDs
• Secure password database -- Makes offline brute-force attacks much harder or impossible.
  • Use either bcrypt or scrypt
• Be domain unaware
  • be able to work from either a sub-domain or a non-root path
  • Avoid url fragments (/#) like the plague
• no url params, all payload
• work without javascript

API

Checklist for Backend<->Client Web API(s)

• TLS/SSL -- Protect the transport from sniffing.

Resources

• Google
  • Progressive Web App Checklist
• OWASP
  • XSS (Cross Site Scripting) Prevention Cheat Sheet
  • Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet