|
| 1 | +### The Security Checklist |
| 2 | + |
| 3 | +##### AUTHENTICATION SYSTEMS (Signup/Signin/2 Factor/Password reset) |
| 4 | +- [ ] Use HTTPS everywhere. |
| 5 | +- [ ] Store password hashes using `Bcrypt` with a random `salt`. |
| 6 | +- [ ] Destroy the session identifier after `logout`. |
| 7 | +- [ ] Destory all active sessions on reset password (or offer to). |
| 8 | +- [ ] Must have the `state` parameter in OAuth2 |
| 9 | +- [ ] No open redirects after successful login or in any other intermediate redirects. |
| 10 | +- [ ] While Signup/Login input, sanitize input for javascript://, data://, CRLF characters. |
| 11 | +- [ ] Set secure, httpOnly cookies. |
| 12 | +- [ ] In Mobile `OTP` based mobile verification, do not send the OTP back in the response when `generate OTP` or `Resend OTP` API is called. |
| 13 | +- [ ] Limit attempts to `Login`, `Verify OTP`, `Resend OTP` and `generate OTP` APIs for a particular user. Have an exponential backoff set or/and something like a captcha based challenge. |
| 14 | +- [ ] Check for randomness of reset password token in the emailed link or SMS |
| 15 | +- [ ] Set an expiration on the reset password token for a reasonable period. |
| 16 | +- [ ] Expire the reset token after it has been successfully used. |
| 17 | +- [ ] Destroy the logged in user's session everywhere after successful reset of password. |
| 18 | + |
| 19 | + |
| 20 | +##### USER DATA & AUTHORIZATION |
| 21 | +- [ ] Any resource access like, `my cart`, `my history` should check the logged in user's ownership of the resource using session id. |
| 22 | +- [ ] Serially iterable resource id should be avoided. Use `/me/orders` instead of `/user/37153/orders`. This acts as a sanity check in case you forgot to check for authorization token. |
| 23 | +- [ ] `Edit email/phone number` feature should be accompanied by a verification email to the owner of the account. |
| 24 | +- [ ] Any upload feature should sanitize the filename provided by the user. Also, for generally reasons apart from security, upload to something like S3 (and post-process using lambda) and not your own server capable of executing code. |
| 25 | +- [ ] `Profile photo upload` feature should sanitize all the `EXIF` tags also if not required. |
| 26 | +- [ ] For user ids and other ids, use [RFC complaint ](http://www.ietf.org/rfc/rfc4122.txt) `UUID` instead of integers. You can find an implementation for this for your language on Github. |
| 27 | +- [ ] JWT are awesome, use them if required for your single page app/APIs. |
| 28 | + |
| 29 | + |
| 30 | +##### ANDRIOD / IOS APP |
| 31 | +- [ ] `salt` from payment gateways should not be hardcoded. |
| 32 | +- [ ] `secret` / `auth token` from 3rd party SDK's should not be hardcoded. |
| 33 | +- [ ] API calls intended to be done `server to server` should not be done from the App. |
| 34 | +- [ ] In Android, all the granted [permissions](https://developer.android.com/guide/topics/security/permissions.html) should be carefully evaluated. |
| 35 | +- [ ] [Certificate pinning](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) is highly recommended. |
| 36 | + |
| 37 | + |
| 38 | +##### SECURITY HEADERS & CONFIGURATIONS |
| 39 | +- [ ] `Add` [CSP](https://en.wikipedia.org/wiki/Content_Security_Policy) header to mitigate XSS and data injection attacks. This is important. |
| 40 | +- [ ] `Add` [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) header to prevent cross site request forgery. |
| 41 | +- [ ] `Add` [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header to prevent SSL stripping attack. |
| 42 | +- [ ] `Add` [X-Frame-Options](https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options) to protect against Clickjacking. |
| 43 | +- [ ] `Add` [X-XSS-Protection](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection) header to mitigate XSS attacks. |
| 44 | +- [ ] Update DNS records to add [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) record to mitigate spam and phishing attacks. |
| 45 | +- [ ] Add [subresource integrity checks](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading your JavaScript libraries from a third party CDN. |
| 46 | +- [ ] Use random CSRF tokens and expose buisness logic APIs as HTTP POST requests. Do not expose CSRF tokens over HTTP for example in a inital request upgrade phase. |
| 47 | +- [ ] Do not use critical data or tokens in GET request parameters. Exposure of server logs or a machine/stack processing them would expose user data in turn. |
| 48 | + |
| 49 | +##### SANITIZATION OF INPUT |
| 50 | +- [ ] `Sanitize` all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) |
| 51 | +- [ ] `Sanitize` all user inputs or any input parameters exposed to user to prevent [SQL Injection](https://en.wikipedia.org/wiki/SQL_injection) |
| 52 | +- [ ] Sanitize user input if using it directly for functionalites like CSV import. |
| 53 | +- [ ] `Sanitize` user input for special cases like robots.txt as profile names in case you are using a url pattern like coolcorp.io/username. |
| 54 | +- [ ] Do not hand code or build JSON by string concatentation ever, no matter how small the object is. Use your langauge defined libraries or framework. |
| 55 | +- [ ] Sanitize inputs that take some sort of URLs to prevent [SSRF](https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.t4tsk5ixehdd). |
| 56 | +- [ ] Sanitize Outputs before displaying to users. |
| 57 | + |
| 58 | +##### OPERATIONS |
| 59 | +- [ ] If you are small and inexperienced, evaluate using AWS elasticbeanstalk or a PaaS to run your code. |
| 60 | +- [ ] Use a decent provisioning script to create VMs in the cloud. |
| 61 | +- [ ] Check for machines with unwanted publicly `open ports`. |
| 62 | +- [ ] Check for no/default passwords for `databases` especially MongoDB & Redis. BTW MongoDB sucks, avoid it. |
| 63 | +- [ ] Use SSH to access your machines, do not setup a password. |
| 64 | +- [ ] Install updates timely to act upon zero day vulnerabilities like Heartbleed, Shellshock. |
| 65 | +- [ ] Modify server config to use TLS 1.2 for HTTPS and disable all other schemes. (The tradeoff is good) |
| 66 | +- [ ] Do not leave the DEBUG mode on. In some frameworks, DEBUG mode can give access full-fledged REPL or shells or expose critical data in error messages stacktraces. |
| 67 | +- [ ] Be prepared for bad actors & DDOS - use [Cloudflare](https://www.cloudflare.com/ddos/) |
| 68 | +- [ ] Setup monitoring for your systems and log stuff (use Newrelic or something like that) |
| 69 | +- [ ] If developing for enterprise customers, adhere to compliance requirements. If AWS S3, consider using the feature to [encrypt data](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html). If using AWS EC2, consider using the feature to use encrypted volumes (even boot volumes can be encypted now). |
| 70 | + |
| 71 | +##### PEOPLE |
| 72 | +- [ ] Setup an email (e.g. security@coolcorp.io) and a page for security researchers to report vulnerabilities. |
| 73 | +- [ ] Depending on what you are making, limit access to your user databases. |
| 74 | +- [ ] Be polite to bug reporters. |
| 75 | +- [ ] Have your code review done by a fellow developer from a secure coding perspective. (More eyes) |
| 76 | +- [ ] In case of a hack or data breach, check previous logs for data access, ask people to change passwords. You might require an audit by external agencies depending on where you are incorporated. |
| 77 | +- [ ] Setup Netflix Scumblr to hear about talks about your organization on social platforms and Google search. |
0 commit comments