FallibleInc/security-guide-for-developers

Newer

Older

Raw Normal view History

100644 83 lines (69 sloc) 7.4 KB

Jul 19, 2016 Added link to contents
	1	[Back to Contents](README.md)
	2
	3
Jul 19, 2016 Create security-checklist.md
	4	### The Security Checklist
	5
	6	##### AUTHENTICATION SYSTEMS (Signup/Signin/2 Factor/Password reset)
	7	- [ ] Use HTTPS everywhere.
Jul 20, 2016 Fix bcrypt checklist item
Jul 20, 2016 Fix bcrypt checklist item	8	- [ ] Store password hashes using `Bcrypt` (no salt necessary - `Bcrypt` does it for you).
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	9	- [ ] Destroy the session identifier after `logout`.
Jul 20, 2016 spell check
Jul 20, 2016 spell check	10	- [ ] Destroy all active sessions on reset password (or offer to).
Jul 21, 2016 Added periods for consistency, grammar editing
Jul 21, 2016 Added periods for consistency, grammar editing	11	- [ ] Must have the `state` parameter in OAuth2.
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	12	- [ ] No open redirects after successful login or in any other intermediate redirects.
Jul 20, 2016 Minor copyediting on security checklist
Jul 20, 2016 Minor copyediting on security checklist	13	- [ ] When parsing Signup/Login input, sanitize for javascript://, data://, CRLF characters.
Jul 19, 2016 Create security-checklist.md
	14	- [ ] Set secure, httpOnly cookies.
	15	- [ ] In Mobile `OTP` based mobile verification, do not send the OTP back in the response when `generate OTP` or `Resend OTP` API is called.
	16	- [ ] Limit attempts to `Login`, `Verify OTP`, `Resend OTP` and `generate OTP` APIs for a particular user. Have an exponential backoff set or/and something like a captcha based challenge.
Jul 21, 2016 Added periods for consistency, grammar editing
Jul 21, 2016 Added periods for consistency, grammar editing	17	- [ ] Check for randomness of reset password token in the emailed link or SMS.
Jul 19, 2016 Create security-checklist.md
	18	- [ ] Set an expiration on the reset password token for a reasonable period.
	19	- [ ] Expire the reset token after it has been successfully used.
	20
	21
	22	##### USER DATA & AUTHORIZATION
	23	- [ ] Any resource access like, `my cart`, `my history` should check the logged in user's ownership of the resource using session id.
	24	- [ ] Serially iterable resource id should be avoided. Use `/me/orders` instead of `/user/37153/orders`. This acts as a sanity check in case you forgot to check for authorization token.
	25	- [ ] `Edit email/phone number` feature should be accompanied by a verification email to the owner of the account.
	26	- [ ] Any upload feature should sanitize the filename provided by the user. Also, for generally reasons apart from security, upload to something like S3 (and post-process using lambda) and not your own server capable of executing code.
	27	- [ ] `Profile photo upload` feature should sanitize all the `EXIF` tags also if not required.
Jul 21, 2016 merge conflict fixed
Jul 21, 2016 merge conflict fixed	28	- [ ] For user ids and other ids, use [RFC compliant ](http://www.ietf.org/rfc/rfc4122.txt) `UUID` instead of integers. You can find an implementation for this for your language on Github.
Jul 21, 2016 Fixed "JWT" run-on sentence
Jul 21, 2016 Fixed "JWT" run-on sentence	29	- [ ] JWT are awesome. Use them if required for your single page app/APIs.
Jul 19, 2016 Create security-checklist.md
	30
	31
Jul 20, 2016 spell check
Jul 20, 2016 spell check	32	##### ANDROID / IOS APP
Jul 19, 2016 Create security-checklist.md
	33	- [ ] `salt` from payment gateways should not be hardcoded.
	34	- [ ] `secret` / `auth token` from 3rd party SDK's should not be hardcoded.
Jul 21, 2016 Added periods for consistency, grammar editing
Jul 21, 2016 Added periods for consistency, grammar editing	35	- [ ] API calls intended to be done `server to server` should not be done from the app.
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	36	- [ ] In Android, all the granted [permissions](https://developer.android.com/guide/topics/security/permissions.html) should be carefully evaluated.
Aug 1, 2016 Update security-checklist.md
Aug 1, 2016 Update security-checklist.md	37	- [ ] On iOS, store sensitive information (authentication tokens, API keys, etc.) in the system keychain. Do __not__ store this kind of information in the user defaults.
Jul 19, 2016 Create security-checklist.md
	38	- [ ] [Certificate pinning](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) is highly recommended.
	39
	40
	41	##### SECURITY HEADERS & CONFIGURATIONS
	42	- [ ] `Add` [CSP](https://en.wikipedia.org/wiki/Content_Security_Policy) header to mitigate XSS and data injection attacks. This is important.
Jul 21, 2016 Added about SameSite in CSRF-prevention
Jul 21, 2016 Added about SameSite in CSRF-prevention	43	- [ ] `Add` [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) header to prevent cross site request forgery. Also add [SameSite](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00) attributes on cookies.
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	44	- [ ] `Add` [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) header to prevent SSL stripping attack.
Feb 20, 2017 Update HSTS preload list submission url
Feb 20, 2017 Update HSTS preload list submission url	45	- [ ] `Add` your domain to the [HSTS Preload List](https://hstspreload.org/)
Jul 19, 2016 Create security-checklist.md
	46	- [ ] `Add` [X-Frame-Options](https://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options) to protect against Clickjacking.
	47	- [ ] `Add` [X-XSS-Protection](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-XSS-Protection) header to mitigate XSS attacks.
	48	- [ ] Update DNS records to add [SPF](https://en.wikipedia.org/wiki/Sender_Policy_Framework) record to mitigate spam and phishing attacks.
Jul 23, 2016 Added require-sri-for
Jul 23, 2016 Added require-sri-for	49	- [ ] Add [subresource integrity checks](https://en.wikipedia.org/wiki/Subresource_Integrity) if loading your JavaScript libraries from a third party CDN. For extra security, add the [require-sri-for](https://w3c.github.io/webappsec-subresource-integrity/#parse-require-sri-for) CSP-directive so you don't load resources that don't have an SRI sat.
Jul 20, 2016 spell check
Jul 20, 2016 spell check	50	- [ ] Use random CSRF tokens and expose business logic APIs as HTTP POST requests. Do not expose CSRF tokens over HTTP for example in an initial request upgrade phase.
Jul 25, 2016 merging PR for removal of Cloudflare name
	51	- [ ] Do not use critical data or tokens in GET request parameters. Exposure of server logs or a machine/stack processing them would expose user data in turn.
	52
	53
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	54	##### SANITIZATION OF INPUT
Jul 21, 2016 Added periods for consistency, grammar editing
Jul 21, 2016 Added periods for consistency, grammar editing	55	- [ ] `Sanitize` all user inputs or any input parameters exposed to user to prevent [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting).
Jul 25, 2016 Changed SQLi item to reflect prepared statement
	56	- [ ] Always use parameterized queries to prevent [SQL Injection](https://en.wikipedia.org/wiki/SQL_injection).
Jul 20, 2016 spell check
Jul 20, 2016 spell check	57	- [ ] Sanitize user input if using it directly for functionalities like CSV import.
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	58	- [ ] `Sanitize` user input for special cases like robots.txt as profile names in case you are using a url pattern like coolcorp.io/username.
Jul 22, 2016 Fixed typos
Jul 22, 2016 Fixed typos	59	- [ ] Do not hand code or build JSON by string concatenation ever, no matter how small the object is. Use your language defined libraries or framework.
Jul 19, 2016 Create security-checklist.md
	60	- [ ] Sanitize inputs that take some sort of URLs to prevent [SSRF](https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#heading=h.t4tsk5ixehdd).
	61	- [ ] Sanitize Outputs before displaying to users.
	62
	63	##### OPERATIONS
	64	- [ ] If you are small and inexperienced, evaluate using AWS elasticbeanstalk or a PaaS to run your code.
	65	- [ ] Use a decent provisioning script to create VMs in the cloud.
	66	- [ ] Check for machines with unwanted publicly `open ports`.
Jul 22, 2016 Remove unqualified claim about MongoDB
Jul 22, 2016 Remove unqualified claim about MongoDB	67	- [ ] Check for no/default passwords for `databases` especially MongoDB & Redis.
Jul 22, 2016 Minor edit to mention ssh keys
Jul 22, 2016 Minor edit to mention ssh keys	68	- [ ] Use SSH to access your machines; do not setup a password, use SSH key-based authentication instead.
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	69	- [ ] Install updates timely to act upon zero day vulnerabilities like Heartbleed, Shellshock.
Jul 21, 2016 Added periods for consistency, grammar editing
Jul 21, 2016 Added periods for consistency, grammar editing	70	- [ ] Modify server config to use TLS 1.2 for HTTPS and disable all other schemes. (The tradeoff is good.)
Jul 19, 2016 Create security-checklist.md
Jul 19, 2016 Create security-checklist.md	71	- [ ] Do not leave the DEBUG mode on. In some frameworks, DEBUG mode can give access full-fledged REPL or shells or expose critical data in error messages stacktraces.
Jul 22, 2016 Depreciate Cloudflare recommendation
Jul 22, 2016 Depreciate Cloudflare recommendation	72	- [ ] Be prepared for bad actors & DDOS - use a hosting service that has DDOS mitigation.
Jul 21, 2016 Added periods for consistency, grammar editing
Jul 21, 2016 Added periods for consistency, grammar editing	73	- [ ] Set up monitoring for your systems, and log stuff (use [New Relic](https://newrelic.com/) or something like that).
Jul 22, 2016 Fixed typos
Jul 22, 2016 Fixed typos	74	- [ ] If developing for enterprise customers, adhere to compliance requirements. If AWS S3, consider using the feature to [encrypt data](http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html). If using AWS EC2, consider using the feature to use encrypted volumes (even boot volumes can be encrypted now).
Jul 19, 2016 Create security-checklist.md
	75
	76	##### PEOPLE
Jul 21, 2016 Setup (noun) -> Set up (verb)
Jul 21, 2016 Setup (noun) -> Set up (verb)	77	- [ ] Set up an email (e.g. security@coolcorp.io) and a page for security researchers to report vulnerabilities.
Jul 19, 2016 Create security-checklist.md
	78	- [ ] Depending on what you are making, limit access to your user databases.
	79	- [ ] Be polite to bug reporters.
	80	- [ ] Have your code review done by a fellow developer from a secure coding perspective. (More eyes)
	81	- [ ] In case of a hack or data breach, check previous logs for data access, ask people to change passwords. You might require an audit by external agencies depending on where you are incorporated.
Jul 21, 2016 Setup (noun) -> Set up (verb)
Jul 21, 2016 Setup (noun) -> Set up (verb)	82	- [ ] Set up [Netflix's Scumblr](https://github.com/Netflix/Scumblr) to hear about talks about your organization on social platforms and Google search.