OWASP Cheat Sheet Series

= Main =  

{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |-
 * valign="top" style="border-right: 1px dotted gray;padding-right:25px;" |

Our goal
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.

If you have any questions about the OWASP Cheat Sheet Series, please email the project leaders [mailto:dominique.righetto@owasp.org Dominique Righetto] or [mailto:jim.manico@owasp.org Jim Manico], contact us on the project's Slack channel or on our Google Group (Slack is highly preferred over the Google Group).

The archives of the old mailing list can be consulted here.

Migration to GitHub
Project has been fully migrated to GitHub.

This page is used as the OWASP homepage of the project, all the project content is hosted on the GitHub repository and we work only from this repository, wiki is not used anymore.

So, from now, only a GitHub account is needed to contribute :)

Bridge between the projects OWASP Proactive Controls/OWASP Application Security Verification Standard and OWASP Cheat Sheet Series
A work channel has been created between these 2 projects and the Cheat Sheet Series using the following process (OPC = OWASP Proactive Controls / OASVS = OWASP Application Security Verification Standard / OCS = OWASP Cheat Sheet):


 * When a Cheat Sheet is missing for a point in OPC/OASVS then the OCS will handle the missing and create one. When the Cheat Sheet is ready then the reference is added by OPC/OASVS.
 * If a Cheat Sheet exists for an OPC/OASVS point but the content do not provide the expected help then the Cheat Sheet is updated to provide the content needed/expected.

The reason of the creation of this bridge is to help the OCS/OASVS projects by providing them:


 * A consistent source for the requests regarding new Cheat Sheets.
 * Same approach about the update of the existing Cheat Sheets.
 * A usage context for the Cheat Sheet and a quick source of feedack about the quality and the efficiency of the Cheat Sheet.

It is not mandatory that a request for a new Cheat Sheet (or for an update) come only from OPC/OASVS, it is just a extra channel.

Requests from OPC/OASVS are flagged with a special label in the GitHub repository issues list in order to identify them and set them as a top level priority.

Project Leaders

 * Jim Manico [mailto:jim.manico@owasp.org @]
 * Dominique Righetto [mailto:dominique.righetto@owasp.org @]

Contributors of the V1 of the project
Paweł Krawczyk, Mishra Dhiraj, Shruti Kulkarni, Torsten Gigler, Michael Coates, Jeff Williams, Dave Wichers, Kevin Wall, Jeffrey Walton, Eric Sheridan, Kevin Kenan, David Rook, Fred Donovan, Abraham Kang, Dave Ferguson, Shreeraj Shah, Raul Siles, Colin Watson, Neil Matatall, Zaur Molotnikov, Manideep Konakandla, Santhosh Tuppad and many more!

Contributors of the V2 of the project
See here for a complete list.


 * valign="top" style="padding-left:25px;width:200px;" |

GitHub repository
Repository is here.

Offline Cheat Sheets collection
A offline website of all Cheat Sheets can be obtained here.

Slack & Twitter
Slack channel information:
 * Server
 * Channel

Twitter hash tag: #owaspcheatsheetseries

Google Group
Project Google Group, click here to join it.

Still used for technical discussion but we highly prefer:
 * The Slack channel for announcement and technical discussion.
 * The Twitter hash tag for announcement only.

Licensing
The OWASP Cheat Sheet Series is free to use under the Creative Commons ShareAlike 3 License.

Related Projects

 * OWASP Proactive Controls
 * OWASP Application Security Verification Standard Project

News and Events

 * [Mar 09 2019] Move from Mailman to Google Group.
 * [Feb 23 2019] V2 released, from now see all the update here.
 * [Feb 22 2019] Migration to GitHub finished.
 * [Dec 28 2018] Start migration of the cheat sheets collection to GitHub.
 * [Dec 01 2018] Injection Prevention Cheat Sheet in Java updated
 * [Nov 24 2018] Securing Cascade Style Sheets Cheat Sheet added to project
 * [Nov 08 2018] Creation and sharing of the project logos
 * [Oct 13 2018] CSRF Prevention Cheat Sheet refactored
 * [Sep 25 2018] Abuse Case Cheat Sheet added to project
 * [Aug 25 2018] Cleanup of Cheat Sheets finished
 * [Jul 15 2018] Error Handling Cheat Sheet added to project
 * [Jun 12 2018] Made available the PDF book of all Cheat Sheets
 * [May 10 2018] Protect File Upload Against Malicious File Cheat Sheet updated
 * [Mar 18 2018] Password Storage Cheat Sheet updated
 * [Feb 21 2018] HTML5 Security Cheat Sheet updated
 * [Feb 18 2018] Password Storage Cheat Sheet updated
 * [Jan 14 2018] Insecure Direct Object Reference Prevention Cheat Sheet updated
 * [Dec 04 2017] Ruby On Rails Cheat Sheet updated
 * [Nov 19 2017] JWT Cheat Sheet for Java updated
 * [Nov 17 2017] OS Command Injection Defense Cheat Sheet added to project
 * [Nov 04 2017] Authorization Testing Automation Cheat Sheet added to project
 * [Jan 17 2017] XML Security Cheat Sheet added to project
 * [Feb 06 2016] New navigation template rolled out project-wide
 * [Jun 11 2015] SAML Cheat Sheet added to project
 * [Feb 11 2015] Cheat Sheet "book" added to project
 * [Apr 04 2014] All non-draft cheat sheets moved to new wiki template!
 * [Feb 04 2014] Project-wide cleanup started


 * }

= Roadmap =

Roadmap is managed using the GitHub feature of the repository.

= Project Logo =

Project is now finished, we let the specification online for further evolution of the logo.

Big thanks to Amélie Didion for the design work.

Logo files
Logo files are hosted on the official OWASP dedicated Github repository.

Logo n°1:



Logo n°2:



Objective
This section contains the information that we have gathered and plan to use for the creation of the project logo and related design materials.

The first phase of the work is to commission a project logo.

Introduction
The project requires a logo which will comprise three components:


 * Graphical element indicating the idea or use of the cheat sheets
 * The project title
 * Motto/straplines.

Not all of these will necessarily be shown together at the same time. Phase 1 requires the creation of a logo, which may be used with one, two or all three of these components.

The logo will be used in many ways such as on a website banner, or just the graphical element on a bag, or the graphical element and a motto/strapline on a t-shirt. These other outputs are not included in the scope of Phase 1.

Project Name
The project name is OWASP Cheat Sheet Series project. The project name will be positioned next to the graphical element in some outputs, and this layout must be provided. In other cases, the project name will not be included beside the logo.

Motto/Strapline
Three mottos/straplines will be used in the logo - they are context dependent:


 * Life is too short, AppSec is tough, Cheat!
 * Its not cheating if you do it for the right reasons
 * Sometimes the only good thing to do is cheat.

The logo layout must allow for any of these or none to be included.

Layout, Media Formats and Colours
Some media or placements may mean the motto/strapline does not fit or is not needed. Therefore the logo must be usable with, or without, the motto/strapline.

The logo will need to be used at multiple scales. For example, if the logo is square excluding the motto/strapline, the following formats must work


 * Low-resolution use on web pages (e.g. as small as 100x100 pixels excluding moto/strapline)
 * Medium resolution use on fabric such as t-sirts or bags (e.g. 900x900 pixels at 150 dpi)
 * High-resolution use on large posters and banners (e.g. as large as 5,000x5,000 pixels at 300dpi).

The logo may be printed in CMYK for physical media, but must also have RGB colours for screen use. Additionally the logo must also be available in grayscale, and separately as single colour (i.e. black and white without any tones).

Deliverables Required
All outputs must be provided digitally:


 * 1) Logo demonstrating how it looks with just the graphical element, the graphical element with the project title, and the graphical element with each of the mottos/straplines, and everything together
 * 2) Source layered vector graphic files created in Adobe Illustrator
 * 3) Exported versions for quick use low, medium and high resolution full-colour PNG/JPEGs in RGB and CMYK
 * 4) Colour and font specification.

Rights/licensing:


 * 1) The designer will not retain any rights - all design and use rights will be given to OWASP, who will publish the logo and files using am open source licence, and OWASP will be able to use the logo, source files, ideas, designs in any manner it desires in any media in any quantity, without any additional payments, commission or royalties to the designer or anyone else
 * 2) All fonts used in the design must be provided to OWASP and comply with the above requirements

Future Phases: Other Graphical Elements
Scope TBC - Banners, t-shirts, etc

Background pictures (picture provider and designer will be cited on the project site):
 * A smart tech looking woman reading a piece of paper (the cheatsheet) while resting on a beach.
 * A woman hand holding cards with an ace up the sleeve.

Pictures proposal (just a proposal as bootstrap, others pictures can be used):
 * Cards:
 * https://www.pexels.com/photo/woman-holding-queen-of-hearts-and-diamonds-922706/
 * https://www.pexels.com/photo/ace-card-gambling-hand-274373/
 * https://www.pexels.com/photo/ace-bet-business-card-262333/
 * Beach:
 * https://www.pexels.com/photo/laptop-mockup-notebook-outside-4778/
 * https://www.pexels.com/photo/apple-check-computer-female-7079/
 * https://www.pexels.com/photo/beach-beach-chair-blur-casual-319921/
 * https://www.pexels.com/photo/close-up-of-woman-typing-on-keyboard-of-laptop-6352/
 * https://www.pexels.com/photo/black-and-gray-computer-laptop-159784/