Skip to content

Commit

Permalink
prevent username enumeration
Browse files Browse the repository at this point in the history
  • Loading branch information
@cottsak
cottsak committed Jul 22, 2016
1 parent d44aace commit c47b4ad
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion security-checklist.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
- [ ] Set an expiration on the reset password token for a reasonable period.
- [ ] Expire the reset token after it has been successfully used.
- [ ] Destroy the logged in user's session everywhere after successful reset of password.

- [ ] Ensure that login and password reset pages prevent [enumeration attacks](https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002)).

##### USER DATA & AUTHORIZATION
- [ ] Any resource access like, `my cart`, `my history` should check the logged in user's ownership of the resource using session id.
Expand Down

0 comments on commit c47b4ad

Please sign in to comment.