Security Best Practices

Local Reference Index

ASVS 5.0 — references/OWASP_Application_Security_Verification_Standard_5.0.0_en.csv CSV columns: chapter_id,chapter_name,section_id,section_name,req_id,req_description,level (L1=basic, L2=standard, L3=advanced)

Cheat Sheets (109 files) — references/cheatsheets/<Topic>_Cheat_Sheet.md

Language-Specific Security Patterns — references/<language>-security-patterns.md

Each file includes language-specific security scanner recommendations.

Searching References

Use Grep on references/ for keywords or IDs. Use Read with offset/limit for targeted sections. Fall back to web fetch from https://cheatsheetseries.owasp.org/cheatsheets/ if local content is insufficient.

A01: Broken Access Control

• Deny access by default; require explicit grants (Access Control)
• Enforce authorization server-side; never rely on client-side checks (Authorization)
• Use indirect object references or validate ownership before returning resources (IDOR Prevention)
• Apply rate limiting and account lockout to prevent brute-force
• Log all access control failures and alert on repeated attempts
• Invalidate sessions and tokens on logout and password change (Session Management)
• Validate CORS configuration; avoid Access-Control-Allow-Origin: * for authenticated endpoints (HTTP Headers)
• For multi-tenant systems, enforce tenant isolation at every data access layer (Multi-Tenant Security)

A02: Cryptographic Failures

• Use TLS 1.2+ for all data in transit; disable older protocols (TLS)
• Enable HSTS with includeSubDomains and adequate max-age (HSTS)
• Use strong, modern algorithms (AES-256-GCM, ChaCha20-Poly1305); avoid DES, RC4, MD5, SHA-1 (Cryptographic Storage)
• Store passwords with Argon2id, bcrypt, or scrypt — never plain hashes (Password Storage)
• Manage secrets through a vault or environment variables; never hardcode (Secrets Management)
• Rotate keys on a defined schedule; support key versioning (Key Management)

A03: Injection

• Validate all input: type, length, range, format; use allowlists over denylists (Input Validation)
• Use parameterized queries or prepared statements for all SQL (SQL Injection Prevention, Query Parameterization)
• Context-escape all output: HTML-encode for HTML, JS-encode for JavaScript, URL-encode for URLs (XSS Prevention, DOM-based XSS Prevention)
• Avoid OS command execution; if unavoidable, use strict allowlists and no shell interpolation (OS Command Injection Defense)
• Sanitize LDAP input using established escape functions (LDAP Injection Prevention)
• Deploy Content Security Policy to mitigate XSS impact (CSP)
• Prevent DOM clobbering by avoiding document.getElementById on user-controllable IDs (DOM Clobbering Prevention)
• Guard against prototype pollution in JavaScript by freezing prototypes or using Object.create(null) (Prototype Pollution Prevention)

A04: Insecure Design

• Perform threat modeling early in the design phase (Threat Modeling)
• Identify and document abuse cases alongside use cases (Abuse Case)
• Analyze and minimize the attack surface for each feature (Attack Surface Analysis)
• Follow secure product design principles: least privilege, defense in depth, fail secure (Secure Product Design)

A05: Security Misconfiguration

• Disable unnecessary features, ports, services, and default accounts
• Harden Docker containers: non-root user, read-only filesystem, minimal base image (Docker Security)
• Apply Kubernetes security best practices: pod security policies, network policies, RBAC (Kubernetes Security)
• Scan IaC templates for misconfigurations before deployment (IaC Security)
• Disable XML external entity processing in all XML parsers (XXE Prevention)
• Set security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, etc. (HTTP Headers)
• Secure CI/CD pipelines: least-privilege tokens, signed artifacts, audit logs (CI/CD Security)

A06: Vulnerable and Outdated Components

• Maintain an inventory of all dependencies and their versions (Dependency Graph / SBOM)
• Continuously scan dependencies for known vulnerabilities (Vulnerable Dependency Management)
• Audit third-party JavaScript for integrity and behavior (Third Party JS Management)
• Use lockfiles and verify package integrity hashes (NPM Security)
• Review supply chain security practices for critical dependencies (Software Supply Chain Security)

A07: Identification and Authentication Failures

• Enforce minimum password complexity and check against breached password lists (Authentication)
• Implement MFA for privileged and sensitive operations (MFA)
• Generate session IDs server-side with high entropy; regenerate after authentication (Session Management)
• Secure password reset flows: time-limited tokens, side-channel verification (Forgot Password)
• Prevent credential stuffing with rate limiting, CAPTCHA, and device fingerprinting (Credential Stuffing Prevention)
• Implement OAuth 2.0 with PKCE for public clients (OAuth 2.0)
• Set cookie attributes: Secure, HttpOnly, SameSite, proper Path and Domain (Cookie Theft Mitigation)

A08: Software and Data Integrity Failures

• Never deserialize untrusted data; if required, validate schema and use safe libraries (Deserialization)
• Protect against mass assignment: explicitly allowlist assignable fields (Mass Assignment)
• Validate file uploads: check type via magic bytes (not just extension or Content-Type header), enforce size limits, and re-encode/re-process content to strip metadata and neutralize polyglots. Store outside webroot with random names. Explicitly reject dangerous types: SVG (can contain embedded JavaScript), HTML, executable files (.exe, .sh, .bat), and server-side scripts (.php, .jsp). (File Upload)
• Verify integrity of software artifacts with checksums and signatures

A09: Security Logging and Monitoring Failures

• Log authentication events, access control failures, input validation failures, and application errors (Logging)
• Use consistent log format and vocabulary for automated analysis (Logging Vocabulary)
• Never log sensitive data: passwords, tokens, PII, credit card numbers
• Return generic error messages to users; log detailed errors server-side (Error Handling)
• Set up alerts for anomalous patterns: brute force, privilege escalation, unusual data access

A10: Server-Side Request Forgery (SSRF)

• Validate and sanitize all user-supplied URLs (SSRF Prevention)
• Use allowlists for permitted domains and protocols
• Block requests to internal/private IP ranges (127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, etc.)
• Disable unnecessary URL schemes (file://, gopher://, ftp://)
• Run server-side HTTP clients in network-restricted environments when possible

API Security

• Authenticate and authorize every API request (REST Security)
• Validate request content types and reject unexpected media types
• Apply rate limiting and request size limits
• For GraphQL: limit query depth and complexity; disable introspection in production (GraphQL)
• For gRPC: use TLS, validate protobuf messages, implement interceptor-based auth (gRPC Security)
• For WebSockets: validate origin, authenticate the handshake, validate all messages (WebSocket Security)
• Prevent CSRF with synchronizer tokens or SameSite cookies (CSRF Prevention)
• Validate redirect URLs against an allowlist (Unvalidated Redirects)

AI and LLM Security

• Validate and sanitize all LLM inputs and outputs (LLM Prompt Injection Prevention)
• Apply least privilege to AI agent tool access and actions (AI Agent Security)
• Secure model serving infrastructure: access controls, input limits, monitoring (Secure AI Model Ops)

Framework-Specific Security

When working with a specific framework, consult the relevant cheat sheet for framework-specific pitfalls and mitigations:

Additional References

For topics not covered above, browse the full index: OWASP Cheat Sheet Series Index