A practical security guide for web developers

The intended audience

Security issues happen for two reasons –

  1. Developers who have just started and cannot really tell a difference between using MD5 or bcrypt.
  2. Developers who know stuff but forget/ignore them.

Our detailed explanations should help the first type while we hope our checklist helps the second one create more secure systems. This is by no means a comprehensive guide, it just covers stuff based on the most common issues we have discovered in the past.


  1. The Security Checklist
  2. What can go wrong?
  3. Securely transporting stuff: HTTPS explained
  4. I am who I say I am: Authentication
    4.1 Form based authentication
    4.2 Basic authentication
    4.3 One is not enough, 2 factor, 3 factor, ….
    4.4 Why use insecure text messages? Introducing HOTP & TOTP
    4.5 Handling password resets
  5. What am I allowed to do?: Authorization
    5.1 Token based Authorization
    5.2 OAuth & OAuth2
    5.3 JWT
  6. Trust no one: User Inputs are evil
    6.1 Sanitizing Inputs
    6.2 Sanitizing Outputs
    6.3 Cross Site Scripting
    6.4 Injection Attacks
    6.5 User uploads
    6.6 Tamper-proof user inputs
  7. Plaintext != Encoding != Encryption != Hashing
    7.1 Common encoding schemes
    7.2 Encyption
    7.3 Hashing & One way functions
    7.4 Hashing speeds cheatsheet
  8. dadada, 123456, cute@123: Passwords
    8.1 Password policies
    8.2 Storing passwords
    8.3 Life without passwords
  9. Public Key Cryptography
  10. Remember me, please: Handling Sessions
    10.1 Where to save state?
    10.2 Invalidating sessions
    10.3 Cookie monster & you
  11. Fixing security, one header at a time
    11.1 Secure web headers
    11.2 Data integrity check for 3rd party code
    11.3 Certificate Pinning
  12. Configuration mistakes
    12.0 Provisoning in cloud: Ports, Shodan & AWS
    12.1 Honey, you left the debug mode on
    12.2 Logging (or not logging)
    12.3 Monitoring
    12.4 Principle of least privilege
    12.5 Rate limiting & Captchas
    12.6 Storing project secrets and passwords in a file
    12.7 DNS: Of subdomains and forgotten pet-projects
    12.7 Patching & Updates
  13. When the bad guys arrive: Attacks
    13.1 Clickjacking
    13.2 Cross Site Request Forgery
    13.3 Denial of Service
    13.4 Server Side Request Forgery
  14. Stats about vulnerabilities discovered in Internet Companies
  15. On reinventing the wheel, and making it square
    15.1 Security libraries and packages for Python
    15.2 Security libraries and packages for Node/JS
    15.3 Learning resources
  16. Maintaining a good security hygiene
  17. Security Vs Usability
  18. Back to Square 1: The Security Checklist explained


taken from : https://github.com/FallibleInc/security-guide-for-developers


About onolinus

Another Shinobi from Pahae........
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s