Log Unusual Activity
What to Do Log unusual activity. Why Unusual activity may be an indication that an attack is in progress. How Perform the following actions to impleme... more
What to Do Log unusual activity. Why Unusual activity may be an indication that an attack is in progress. How Perform the following actions to impleme... more
Enforce Strong Password Requirements
Applies To PHP What to Do Enforce strong password requirements. Why Requiring strong passwords prevents weak passwords from being used. Using strong ... more
Applies To PHP What to Do Enforce strong password requirements. Why Requiring strong passwords prevents weak passwords from being used. Using strong ... more
Use Positive Input Validation
What to Do Validate all user input by using white-list/positive input validation. White-list input validation means allowing only input that is explic... more
What to Do Validate all user input by using white-list/positive input validation. White-list input validation means allowing only input that is explic... more
Prevent Information Disclosure in Error Messages
What to Do Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to str... more
What to Do Ensure that error messages only contain minimal details that are useful to the intended audience, and nobody else. The messages need to str... more
Implement Authentication Controls to Fail Securely
What to Do Make sure authentication controls fail securely. Why Designing authentication to fail securely when abnormal conditions occur reduces the r... more
What to Do Make sure authentication controls fail securely. Why Designing authentication to fail securely when abnormal conditions occur reduces the r... more
Hash And Salt Passwords
Applies to PHP What to Do Hash and salt stored passwords. Why Storing hashes instead of plain-text passwords assures that an attacker cannot easily r... more
Applies to PHP What to Do Hash and salt stored passwords. Why Storing hashes instead of plain-text passwords assures that an attacker cannot easily r... more
Force Password Renewal
What to Do Force users to renew their passwords after a given period of time. Why Forcing users to renew their passwords reduces the risk of valid cre... more
What to Do Force users to renew their passwords after a given period of time. Why Forcing users to renew their passwords reduces the risk of valid cre... more
Include Unique Tokens in HTTP Requests
What to Do Include unique tokens in HTTP requests when performing sensitive operations to prevent Cross-Site Request Forgery (CSRF). Why CSRF may be p... more
What to Do Include unique tokens in HTTP requests when performing sensitive operations to prevent Cross-Site Request Forgery (CSRF). Why CSRF may be p... more
Use Only Strong SSL Algorithms
Applies to Apache What to Do Configure Apache to use only strong SSL algorithms. Why Using strong encryption algorithms with SSL helps reduce the ris... more
Applies to Apache What to Do Configure Apache to use only strong SSL algorithms. Why Using strong encryption algorithms with SSL helps reduce the ris... more
Force Reauthentication for Sensitive Operations
What to Do Force the user to re-authenticate when executing security-critical functionality including, but not limited to, change of password, account... more
What to Do Force the user to re-authenticate when executing security-critical functionality including, but not limited to, change of password, account... more
