search

icebreaker-science / backend

The backend (Spring Boot) part of the icebreaker.science application
Apache License 2.0
2 stars 0 forks source link

Security Checklist #78

Open michael-kamel opened 3 years ago

michael-kamel commented 3 years ago

This serves as a checklist for security related concerns, completed items will be crossed out

Some points are irrelevant for the current state of the project and can be left out.

Feel free to add, modify or remove anything if you think this should be done.

Refer to OWASP cheat cheats and guidelines for in depth details. The rules here are not disjoint in the sense that some mitigations may be relevant for multiple points.

  1. nginx footprints:

    1. remove all traces of technologies used Link

  2. XSS

    1. X-XSS-Protection: 0 (deprecated)
    2. Filenames(don't use or use with caution or use IDs instead)

  3. Cookies(not very relevant)

    1. HttpOnly header
    2. secure cookie flag

  4. CSRF

    1. csrf protection is currently disabled but token is stored on localstorage

  5. Clickjacking

    1. X-Frame-Options DENY or set in CSP

  6. XST(not very relevant)

    1. disable http TRACE(should be by default).

  7. File Extensions

    1. file extension rules allowed (check them)
    2. verify rules (rules indeed allowed)

  8. SSL

    1. version
    2. algorithm
    3. key length

  9. HSTS

    1. Follow guidelines for setting the HTTP Strict Transport Security

  10. Password quality

    1. rules implemented
    2. rules applied globally
      1. register
      2. reset password
      3. frontend gives feedback
    3. no autocomplete on the frontend

  11. Invalidate user token

    1. logout
    2. account deletion
    3. reset password

  12. Data Validation

    1. malicious data input can cause the logic to be used in an unintended way
      • in general, restrict input data as much as possible without risking UX
    2. tokens generated are cryptographically secure
    3. salts are used
    4. sanitise file names if needed

  13. CORS

    1. same origin in production

  14. CSP

    1. Set CSP

  15. Emails

    1. Sanitize
    2. Prevent links in email or put a warning sign on mails that contain links

  16. MISC

    1. X-Content-Type-Options nosniff
      1. Rate limits.
      2. Prevent login spam