title | layout | tags | contributors | document | order | permalink |
---|---|---|---|---|---|---|
Enforce Access Controls Checklist |
col-document |
OWASP Developer Guide |
Jon Gadsden |
OWASP Developer Guide |
627 |
/draft/design/web_app_checklist/access_controls/ |
{% include breadcrumb.html %}
Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process.
Refer to proactive control C7: Enforce Access Controls for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.
- Design access control / authorization thoroughly up-front
- Force all requests to go through access control checks unless public
- Deny by default; if a request is not specifically allowed then it is denied
- Apply least privilege, providing the least access as is necessary
- Log all authorization events
- Enforce authorization controls on every request
- Use only trusted system objects for making access authorization decisions
- Use a single site-wide component to check access authorization
- Access controls should fail securely
- Deny all access if the application cannot access its security configuration information
- Segregate privileged logic from other application code
- Limit the number of transactions a single user or device can perform in a given period of time, low enough to deter automated attacks but above the actual business requirement
- If long authenticated sessions are allowed, periodically re-validate a user's authorization
- Implement account auditing and enforce the disabling of unused accounts
- The application must support termination of sessions when authorization ceases
- OWASP Cheat Sheet: Authorization
- OWASP Top 10 Proactive Controls
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage