Secure coding checklist
I wrote this book so that you can have a bible of application security to use on a daily basis in your career. I want this book to contain practical scenarios as much as possible, such as the checklist mentioned in this section. Filling words in a book are not my style—I like actions (quick quote: planning without actions is just a dream), and the upcoming checklist contains straightforward rules that you can use both as a security guideline for developers and as a checklist for you when you manually inspect the source code:
Authentication and credentials management:
√ | Authentication credentials must use TLS and not HTTP cleartext. |
√ | Authentication must be enforced on all pages, except the ones intended to be public. |
√ | The error messages (in the login page, reset password page, and registration page) should not lead to information-gathering disclosure (for example, in the case of an invalid username). |
√ | Authentication logic must be validated on the server side. |
√ | Authentication... |