Security Code Review Cheat Sheet

= Authentication= == Password Complexity == == Password Rotation == Account Lockout and Failed Login == == Password Reset Functions == == Email Change and Verification Functions == == Password Storage == === Old Password Hashes === === Migration ===

= Session Management = == Session ID Length == == Session ID Creation == == Inactivity Time Out == == Secure Flag == == HTTP-Only Flag == == Logout ==

= Access Control = == Presentation Layer == == Business Layer == == Data Layer ==

= Input Validation = == Goal of Input Validation == == JavaScript vs Server Side Validation == == Positive Approach == == Robust Use of Input Validation == == Validating Rich User Content == == File Upload ==

= Output Encoding = == Preventing XSS and Content Security Policy == == Preventing SQL Injection == == Preventing OS Injection == == Preventing XML Injection ==

= Cross Domain Request Forgery = == Preventing CSRF == == Preventing Malicious Site Framing (ClickJacking) == == 3rd Party Scripts == == Connecting with Twitter, Facebook, etc ==

= Secure Transmission = == When To Use SSL/TLS == == Don't Allow HTTP Access to Secure Pages == == Implement STS ==