0001 CSRF protection for all requests that effect server side changes
0002 User-generated content
0003 Prefer checking for valid input (whitelisting) rather than trying to refuse invalid (blacklisting)
0004 Use a trusted vs untrusted data policy in the application code
0005 Prefer parameterised database queries (prepared statements)
0006 Escape all user data
0007 Check escape syntax correct for use in
0008 html element content
0009 html attributes
0010 javascript
0011 style elements
0012 url attributes
0013 Sites with user accounts / logins
0014 User cookies use the secure flag
0015 User cookies use the HttpOnly flag
0016 Session ID long enough not to prevent brute force attacks
0017 Session ID random enough not to be predictable
0018 Session ID must look random, i.e not leak information
0019 Renew session ID after privilege level changes
0020 Treat session IDs as untrusted data that requires validation before using in database queries
0021 Prefer as short a session expiration as makes sense for the application
0022 Consider automatic timeout of idle sessions
0023 Enforcement of password strength
0024 Consider bland authentication failure messages that don't say what failed
0025 Automatic account lockouts after repeated authentication failures
0026 Passwords only sent over HTTPS connections
0027 Authenticated pages all sent over HTTPS
0028 Sensitive data is transmitted between servers over secured connections (TLS)
0029 No sensitive data in URLs
0030 Pages with sensitive data are not cached
0031 Passwords (and other sensitive data) are stored encrypted in the database
0032 PCI compliance/certification if storing cardholder data
0033 Process for forgotten passwords reviewed
0034 HTTPS / TLS
0035 SSL certificates are for the live domain, not any staging domains
0036 No SSL errors or warnings in all main browsers
0037 SSL certificates have meta-data consistent with the brand and website
0038 All content loaded via HTTPS links, including off-site links, no mixed secure/insecure content
0039 Servers configured to only accept strong encryption
0040 Server only supports TLS version 1.0 or greater
0041 Private keys are strong, well stored and protected
0042 Preferably no redirect from HTTP to HTTPS (e.g. on / or /login)