0001
CSRF protection for all requests that effect server side changes
0002
User-generated content
0003
Prefer checking for valid input (whitelisting) rather than trying to refuse invalid (blacklisting)
0004
Use a trusted vs untrusted data policy in the application code
0005
Prefer parameterised database queries (prepared statements)
0006
Escape all user data
0007
Check escape syntax correct for use in
0008
html element content
0009
html attributes
0010
javascript
0011
style elements
0012
url attributes
0013
Sites with user accounts / logins
0014
User cookies use the secure flag
0015
User cookies use the HttpOnly flag
0016
Session ID long enough not to prevent brute force attacks
0017
Session ID random enough not to be predictable
0018
Session ID must look random, i.e not leak information
0019
Renew session ID after privilege level changes
0020
Treat session IDs as untrusted data that requires validation before using in database queries
0021
Prefer as short a session expiration as makes sense for the application
0022
Consider automatic timeout of idle sessions
0023
Enforcement of password strength
0024
Consider bland authentication failure messages that don't say what failed
0025
Automatic account lockouts after repeated authentication failures
0026
Passwords only sent over HTTPS connections
0027
Authenticated pages all sent over HTTPS
0028
Sensitive data is transmitted between servers over secured connections (TLS)
0029
No sensitive data in URLs
0030
Pages with sensitive data are not cached
0031
Passwords (and other sensitive data) are stored encrypted in the database
0032
PCI compliance/certification if storing cardholder data
0033
Process for forgotten passwords reviewed
0034
HTTPS / TLS
0035
SSL certificates are for the live domain, not any staging domains
0036
No SSL errors or warnings in all main browsers
0037
SSL certificates have meta-data consistent with the brand and website
0038
All content loaded via HTTPS links, including off-site links, no mixed secure/insecure content
0039
Servers configured to only accept strong encryption
0040
Server only supports TLS version 1.0 or greater
0041
Private keys are strong, well stored and protected
0042
Preferably no redirect from HTTP to HTTPS (e.g. on / or /login)