Skip to content
This repository has been archived by the owner on Mar 2, 2022. It is now read-only.

Security Checklist #78

Open
michael-kamel opened this issue Nov 24, 2020 · 0 comments
Open

Security Checklist #78

michael-kamel opened this issue Nov 24, 2020 · 0 comments

Comments

@michael-kamel
Copy link
Contributor

michael-kamel commented Nov 24, 2020
edited
Loading

This serves as a checklist for security related concerns, completed items will be crossed out

Some points are irrelevant for the current state of the project and can be left out.

Feel free to add, modify or remove anything if you think this should be done.

Refer to OWASP cheat cheats and guidelines for in depth details.
The rules here are not disjoint in the sense that some mitigations may be relevant for multiple points.

  1. nginx footprints:

    1. remove all traces of technologies used Link

  2. XSS

    1. X-XSS-Protection: 0 (deprecated)
    2. Filenames(don't use or use with caution or use IDs instead)

  3. Cookies(not very relevant)

    1. HttpOnly header
    2. secure cookie flag

  4. CSRF

    1. csrf protection is currently disabled but token is stored on localstorage

  5. Clickjacking

    1. X-Frame-Options DENY or set in CSP

  6. XST(not very relevant)

    1. disable http TRACE(should be by default).

  7. File Extensions

    1. file extension rules allowed (check them)
    2. verify rules (rules indeed allowed)

  8. SSL

    1. version
    2. algorithm
    3. key length

  9. HSTS

    1. Follow guidelines for setting the HTTP Strict Transport Security

  10. Password quality

    1. rules implemented
    2. rules applied globally
      1. register
      2. reset password
      3. frontend gives feedback
    3. no autocomplete on the frontend

  11. Invalidate user token

    1. logout
    2. account deletion
    3. reset password

  12. Data Validation

    1. malicious data input can cause the logic to be used in an unintended way
      • in general, restrict input data as much as possible without risking UX
    2. tokens generated are cryptographically secure
    3. salts are used
    4. sanitise file names if needed

  13. CORS

    1. same origin in production

  14. CSP

    1. Set CSP

  15. Emails

    1. Sanitize
    2. Prevent links in email or put a warning sign on mails that contain links

  16. MISC

    1. X-Content-Type-Options nosniff
    2. Rate limits.
    3. Prevent login spam
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michael-kamel