Website Checklist (Security)

A checklist of security considerations for a website with sessions and user accounts. For much more detail, please see the info and cheat sheets at https://www.owasp.org/.

Click on cells in this column to record your results

0001 CSRF protection for all requests that effect server side changes

0002 User-generated content

0003 Prefer checking for valid input (whitelisting) rather than trying to refuse invalid (blacklisting)

0004 Use a trusted vs untrusted data policy in the application code

0005 Prefer parameterised database queries (prepared statements)

0006 Escape all user data

0007 Check escape syntax correct for use in

0008 html element content

0009 html attributes

0010 javascript

0011 style elements

0012 url attributes

0013 Sites with user accounts / logins

0014 User cookies use the secure flag

0015 User cookies use the HttpOnly flag

0016 Session ID long enough not to prevent brute force attacks

0017 Session ID random enough not to be predictable

0018 Session ID must look random, i.e not leak information

0019 Renew session ID after privilege level changes

0020 Treat session IDs as untrusted data that requires validation before using in database queries

0021 Prefer as short a session expiration as makes sense for the application

0022 Consider automatic timeout of idle sessions

0023 Enforcement of password strength

0024 Consider bland authentication failure messages that don't say what failed

0025 Automatic account lockouts after repeated authentication failures

0026 Passwords only sent over HTTPS connections

0027 Authenticated pages all sent over HTTPS

0028 Sensitive data is transmitted between servers over secured connections (TLS)

0029 No sensitive data in URLs

0030 Pages with sensitive data are not cached

0031 Passwords (and other sensitive data) are stored encrypted in the database

0032 PCI compliance/certification if storing cardholder data

0033 Process for forgotten passwords reviewed

0034 HTTPS / TLS

0035 SSL certificates are for the live domain, not any staging domains

0036 No SSL errors or warnings in all main browsers

0037 SSL certificates have meta-data consistent with the brand and website

0038 All content loaded via HTTPS links, including off-site links, no mixed secure/insecure content

0039 Servers configured to only accept strong encryption

0040 Server only supports TLS version 1.0 or greater

0041 Private keys are strong, well stored and protected

0042 Preferably no redirect from HTTP to HTTPS (e.g. on / or /login)

Website Checklist (Security)

Subscribe to receive pragmatic strategies and starter templates straight to your inbox