Web Application Security

This is guide is provided to help developers better understand technical information that pertains to web application security, including the processes and key points into ensuring the secure design and management of web applications.

See the Abbreviations and Terms commonly used when discussing web application security.

Cookies

Use secure cookie attributes

Securing connections containing cookie data

Access Control

Apply the principle of least privilege

Don’t use direct object references for access control checks

Don’t use unvalidated forwards or redirects

Error Messages and Logging

Use generic error messages

Hide authentication error details

Log authentication activity

Securely store logs

Secure Headers and Certificates

Using the Strict Transport-Security header

Use X-Frame-Options or CSP headers

Use valid SSL certificates

Managing Credentials

Don’t hardcode credentials

Use secure key management processes

Securely store user passwords

Disable data caching

Store database credentials securely

Session Management

Ensure session identifiers are sufficiently random

Regenerate session tokens

Implement an absolute session timeout

Destroy sessions at any sign of tampering

Invalidate the session after logout

Place a logout button on every page

Implement account lockout against brute force attacks

Use tokens to prevent forged requests

Form Data Input and Output

Validate form data

Establish strategies against harmful user input

Validate uploaded files

Use the nosniff header for uploaded content

Validate the source of input

Prefer whitelists over blacklists

Use parameterized SQL queries

Conduct contextual output encoding