24 lines
1.9 KiB
Plaintext
24 lines
1.9 KiB
Plaintext
:link-with-uscores1: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
|
|
:link-with-uscores2: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
Never trust any part of the request to be safe. Make sure that the URI, header and body are properly https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet[sanitized] before being used. Their content, length, encoding, name (ex: name of URL query parameters) should be checked. Validate that the values are in a predefined whitelist. The opposite, i.e. searching for dangerous values in a given input, can easily miss some of them.
|
|
|
|
|
|
Do not rely solely on cookies when you implement your authentication and permission logic. Use additional protections such as {link-with-uscores1}[CSRF] tokens when possible.
|
|
|
|
|
|
Do not expose sensitive information in your response. If the endpoint serves files, limit the access to a dedicated directory. https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#cookies[Protect your sensitive cookies] so that client-side javascript cannot read or modify them.
|
|
|
|
|
|
Sanitize all values before returning them in a response, be it in the body, header or status code. Special care should be taken to avoid the following attacks:
|
|
|
|
* {link-with-uscores2}[Cross-site Scripting (XSS)], which happens when an unsafe value is included in an HTML page.
|
|
* https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet[Unvalidated redirects] which can happen when the ``++Location++`` header is compromised.
|
|
|
|
Restrict security-sensitive actions, such as file upload, to authenticated users.
|
|
|
|
|
|
Be careful when errors are returned to the client, as they can provide sensitive information. Use 404 (Not Found) instead of 403 (Forbidden) when the existence of a resource is sensitive.
|