The Cheat Sheet Series project has been moved to GitHub!
An open discussion is pending about to exclude or not this cheat sheet of the V2 of the project.
The goal of this document is to create high level guideline for secure coding practices. The goal is to keep the overall size of the document condensed and easy to digest. Individuals seeking addition information on the specific areas should refer to the included links to learn more.
How To Use This Document
The information listed below are generally acceptable secure coding practices; however, it is recommend that organizations consider this a base template and update individual sections with secure coding recommendations specific to the organization's policies and risk tolerance.
Secure Coding Policy
Always maintain a secure coding policy. List down the activities that are related to maintenance of secure coding standards (would these standards be technology specific or technology agnostic), feedback of code review output to training, input data validation, output data validation etc
Why should you be having a secure coding policy? It helps in maintaining consistency across organisation and helps in vertical and horizontal scaling of usage of standards for web development projects.
Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Utilize_Multi-Factor_Authentication
Please see https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls.
Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
Please see https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
Input Data Validation
Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet
Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Output_Encoding
Secure Transmission / Network Layer security
Please see https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Benefits
Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#File_Uploads
Please see https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet#Error_Handling
Logging and Auditing
Please see https://www.owasp.org/index.php/Logging_Cheat_Sheet
Please see https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
Please see https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies
Unvalidated Redirects and Forwards Cheat Sheet
Please see https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Please see https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
Cross Site Scripting
Please see https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
Please see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Please see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
Cross Site Request Forgery
Please see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
Preventing Malicious Site Framing (ClickJacking)
Please see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Defending_with_X-Frame-Options_Response_Headers
Insecure Direct Object references
Please see https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet
This page has been recommended for deletion
.You can help OWASP by improving it or discussing it on its Talk page. See FixME Comment: Tagged via fixme/delete.