Secure Coding Cheat Sheet



= IMPORTANT =

The Cheat Sheet Series project has been moved to GitHub!

An open discussion is pending about to exclude or not this cheat sheet of the V2 of the project.

= Introduction = The goal of this document is to create high level guideline for secure coding practices. The goal is to keep the overall size of the document condensed and easy to digest. Individuals seeking addition information on the specific areas should refer to the included links to learn more.

= How To Use This Document = The information listed below are generally acceptable secure coding practices; however, it is recommend that organizations consider this a base template and update individual sections with secure coding recommendations specific to the organization's policies and risk tolerance.

= Secure Coding Policy = Always maintain a secure coding policy. List down the activities that are related to maintenance of secure coding standards (would these standards be technology specific or technology agnostic), feedback of code review output to training, input data validation, output data validation etc

Why should you be having a secure coding policy? It helps in maintaining consistency across organisation and helps in vertical and horizontal scaling of usage of standards for web development projects.

= User Authentication =

Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Utilize_Multi-Factor_Authentication

= Password Complexity =

Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls.

= Session Management =

Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

= Access Control =

Please see https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

= Input Data Validation =

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet

= Output Encoding =

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Output_Encoding

= Secure Transmission / Network Layer security =

Please see https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Benefits

= File Uploads =

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads

= Error Handling =

Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Error_Handling

= Logging and Auditing =

Please see https://www.owasp.org/index.php/Logging_Cheat_Sheet

= Cryptography =

Please see https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

= Cookie Management =

Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies

= Unvalidated Redirects and Forwards Cheat Sheet =

Please see https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

= SQL Injection =

Please see https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

= Cross Site Scripting =

Please see https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

Please see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

Please see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

= Cross Site Request Forgery =

Please see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

= Preventing Malicious Site Framing (ClickJacking) =

Please see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers

= Insecure Direct Object references =

Please see https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet

= Other Cheatsheets =