You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-[ ] Use HTTPS on server side to avoid MITM (Man In The Middle Attack).
29
+
-[ ] Use HTTPS on server side to avoid MITM (Man in the Middle Attack).
30
30
-[ ] Use `HSTS` header with SSL to avoid SSL Strip attack.
31
31
32
32
## Input
33
33
-[ ] Use the proper HTTP method according to the operation: `GET (read)`, `POST (create)`, `PUT/PATCH (replace/update)`, and `DELETE (to delete a record)`, and respond with `405 Method Not Allowed` if the requested method isn't appropriate for the requested resource.
34
-
-[ ] Validate `content-type` on request Accept header (Content Negotiation) to allow only your supported format (e.g. `application/xml`, `application/json`, etc) and respond with `406 Not Acceptable` response if not matched.
35
-
-[ ] Validate `content-type` of posted data as you accept (e.g. `application/x-www-form-urlencoded`, `multipart/form-data`, `application/json`, etc).
36
-
-[ ] Validate User input to avoid common vulnerabilities (e.g. `XSS`, `SQL-Injection`, `Remote Code Execution`, etc).
34
+
-[ ] Validate `content-type` on request Accept header (Content Negotiation) to allow only your supported format (e.g. `application/xml`, `application/json`, etc.) and respond with `406 Not Acceptable` response if not matched.
35
+
-[ ] Validate `content-type` of posted data as you accept (e.g. `application/x-www-form-urlencoded`, `multipart/form-data`, `application/json`, etc.).
36
+
-[ ] Validate user input to avoid common vulnerabilities (e.g. `XSS`, `SQL-Injection`, `Remote Code Execution`, etc.).
37
37
-[ ] Don't use any sensitive data (`credentials`, `Passwords`, `security tokens`, or `API keys`) in the URL, but use standard Authorization header.
38
-
-[ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g. `Quota`, `Spike Arrest`, `Concurrent Rate Limit`) and deploy APIs resources dynamically.
38
+
-[ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g. `Quota`, `Spike Arrest`, or `Concurrent Rate Limit`) and deploy APIs resources dynamically.
39
39
40
40
## Processing
41
41
-[ ] Check if all the endpoints are protected behind authentication to avoid broken authentication process.
@@ -51,15 +51,15 @@ Checklist of the most important security countermeasures when designing, testing
-[ ] Remove fingerprinting headers - `X-Powered-By`, `Server`, `X-AspNet-Version` etc.
54
+
-[ ] Remove fingerprinting headers - `X-Powered-By`, `Server`, `X-AspNet-Version`, etc.
55
55
-[ ] Force `content-type` for your response, if you return `application/json` then your response `content-type` is `application/json`.
56
-
-[ ] Don't return sensitive data like `credentials`, `Passwords`, `security tokens`.
57
-
-[ ] Return the proper status code according to the operation completed. (e.g. `200 OK`, `400 Bad Request`, `401 Unauthorized`, `405 Method Not Allowed`, etc).
56
+
-[ ] Don't return sensitive data like `credentials`, `Passwords`, or `security tokens`.
57
+
-[ ] Return the proper status code according to the operation completed. (e.g. `200 OK`, `400 Bad Request`, `401 Unauthorized`, `405 Method Not Allowed`, etc.).
58
58
59
59
## CI & CD
60
60
-[ ] Audit your design and implementation with unit/integration tests coverage.
61
61
-[ ] Use a code review process and disregard self-approval.
62
-
-[ ] Ensure that all components of your services are statically scanned by AV software before push to production, including vendor libraries and other dependencies.
62
+
-[ ] Ensure that all components of your services are statically scanned by AV software before pushing to production, including vendor libraries and other dependencies.
0 commit comments