forked from shieldfy/API-Security-Checklist
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Christian Illies
authored and
Christian Illies
committed
Jul 20, 2017
1 parent
593fa75
commit 8e32405
Showing
14 changed files
with
53 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,57 +12,56 @@ Checkliste für die wichtigsten Sicherheitsmaßnahmen beim Designen, Testen und | |
- [ ] Nutze Verschlüsselung für alle sensitiven Daten. | ||
|
||
### JWT (JSON Web Token) | ||
- [ ] Use a random complicated key (`JWT Secret`) to make brute forcing the token very hard. | ||
- [ ] Don't extract the algorithm from the payload. Force the algorithm in the backend (`HS256` or `RS256`). | ||
- [ ] Make token expiration (`TTL`, `RTTL`) as short as possible. | ||
- [ ] Don't store sensitive data in the JWT payload, it can be decoded [easily](https://jwt.io/#debugger-io). | ||
- [ ] Verwende einen per Zufall generierten, komplizierten Schlüssel (`JWT Secret`), um Brute Force Attacken gegen diesen so schwer wie möglich zu machen. | ||
- [ ] Verwende den Algorithmus des Payloads ausschließlich über das Backend, sodass dieser geheim bleibt (`HS256` or `RS256`). | ||
- [ ] Lege einen möglichst kurzen Gültigkeitszeitraum für den Token fest (`TTL`, `RTTL`). | ||
- [ ] Speichere keine sensitiven Daten im JWT Payload, denn dieser kann [einfach entkodiert werden](https://jwt.io/#debugger-io). | ||
|
||
### OAuth | ||
- [ ] Always validate `redirect_uri` server-side to allow only whitelisted URLs. | ||
- [ ] Always try to exchange for code and not tokens (don't allow `response_type=token`). | ||
- [ ] Use `state` parameter with a random hash to prevent CSRF on the OAuth authentication process. | ||
- [ ] Define the default scope, and validate scope parameters for each application. | ||
- [ ] Überprüfe stets die `redirect_uri` serverseitig und erlaube nur URLs aus einer Whitelist. | ||
- [ ] Frage immer mit einem Access-Code (vom initialen Request) einen Access-Token ab (verbiete `response_type=token`). | ||
- [ ] Nutze den `state` Parameter immer mit einem zufälligem Hash, um CSRF auf den OAuth Authentifizierungsprozess zu verhindern. | ||
- [ ] Definiere einen Standard-Scope und validiere alle Scope Parameter für jede Applikation. | ||
|
||
## Access | ||
- [ ] Limit requests (Throttling) to avoid DDoS / brute-force attacks. | ||
- [ ] Use HTTPS on server side to avoid MITM (Man In The Middle Attack). | ||
- [ ] Use `HSTS` header with SSL to avoid SSL Strip attack. | ||
## Zugriff | ||
- [ ] Limitiere alle Requests (Throttling), um DDoS / Brute-Force Attacken zu verhindern. | ||
- [ ] Nutze HTTPS serverseitig, um MITM (Man In The Middle Attack) zu verhindern. | ||
- [ ] Setze `HSTS` (HTTP Strict Transport Security) im Header bei SSL, um SSLStrip Attacken zu verhindern. | ||
|
||
## Input | ||
- [ ] Use the proper HTTP method according to the operation: `GET (read)`, `POST (create)`, `PUT/PATCH (replace/update)`, and `DELETE (to delete a record)`, and respond with `405 Method Not Allowed` if the requested method isn't appropriate for the requested resource. | ||
- [ ] Validate `content-type` on request Accept header (Content Negotiation) to allow only your supported format (e.g. `application/xml`, `application/json`, etc) and respond with `406 Not Acceptable` response if not matched. | ||
- [ ] Validate `content-type` of posted data as you accept (e.g. `application/x-www-form-urlencoded`, `multipart/form-data`, `application/json`, etc). | ||
- [ ] Validate User input to avoid common vulnerabilities (e.g. `XSS`, `SQL-Injection`, `Remote Code Execution`, etc). | ||
- [ ] Don't use any sensitive data (`credentials`, `Passwords`, `security tokens`, or `API keys`) in the URL, but use standard Authorization header. | ||
- [ ] Use an API Gateway service to enable caching, Rate Limit policies (e.g. `Quota`, `Spike Arrest`, `Concurrent Rate Limit`) and deploy APIs resources dynamically. | ||
- [ ] Nutze für Requests die passenden HTTP Methoden: `GET (Lesen)`, `POST (Erzeugen)`, `PUT/PATCH (Ersetzen/Aktualisieren)`, and `DELETE (Datensatz löschen)`, und gib `405 Method Not Allowed`, wenn die angeforderte Methode nicht auf die Ressource passt. | ||
- [ ] Validiere den `content-type` im "Accept" Header der Anfrage und erlaube nur unterstützte Formate (wie `application/xml`, `application/json`, etc.). Gib den Response `406 Not Acceptable` zurück, wenn keine der übergebenen Content-Typen unterstützt wird. | ||
- [ ] Validiere den `Content-Type` im Header der Anfrage für übertragene Daten (bspw. POST oder PUT) wie bspw. `application/x-www-form-urlencoded`, `multipart/form-data`, `application/json`, usw. | ||
- [ ] Validiere immer alle Eingaben im Request und allen Parametern um allgemeine Angriffsmöglichkeiten zu verhindern (bspw. `XSS`, `SQL-Injection`, `Remote Code Execution`, etc.). | ||
- [ ] Verwende niemals sensitive Daten (`Anmeldedaten`, `Passwörter`, `Security Tokens`, oder `API-Schlüssel`) in der URL, aber nutze den standardisierten "Authorization" Header. | ||
- [ ] Nutze ein API Gateway Service für Caching, Rate Limit Regeln (bspw. `Quota`, `Spike Arrest`, `Concurrent Rate Limit`) und der Bereitstellung dynamischer API Ressourcen. | ||
|
||
## Processing | ||
- [ ] Check if all the endpoints are protected behind authentication to avoid broken authentication process. | ||
- [ ] User own resource ID should be avoided. Use `/me/orders` instead of `/user/654321/orders`. | ||
- [ ] Don't auto-increment IDs. Use `UUID` instead. | ||
- [ ] If you are parsing XML files, make sure entity parsing is not enabled to avoid `XXE` (XML external entity attack). | ||
- [ ] If you are parsing XML files, make sure entity expansion is not enabled to avoid `Billion Laughs/XML bomb` via exponential entity expansion attack. | ||
- [ ] Use CDN for file uploads. | ||
- [ ] If you are dealing with huge amount of data, use Workers and Queues to process as much as possible in background and return response fast to avoid HTTP Blocking. | ||
- [ ] Do not forget to turn the DEBUG mode OFF. | ||
## Verarbeitung | ||
- [ ] Überprüfe, ob alle Endpunkte mit einer Authentifizierung geschützt sind. | ||
- [ ] Nutzereigene Ressourcen-Ids sollten vermieden werden. Verwende `/me/orders` statt `/user/654321/orders`. | ||
- [ ] Verwende keine automatisch hochzählende IDs, sondern `UUID`, damit Ressourcen nicht einfach erraten werden können. | ||
- [ ] Beim Verarbeiten einer XML-Datei, sollte Entitätsverarbeitung deaktiviert sein, um `XXE` (XML External Entity Attacken) zu verhindern. | ||
- [ ] Beim Verarbeiten einer XML-Datei, sollte Entitätsexpansion deaktiviert sein, um `Billion Laughs/XML Bombe` zu verhindern. | ||
- [ ] Nutze CDN für Dateiuploads. | ||
- [ ] Wenn du eine große Menge an Daten verarbeiten musst, nutze Worker und Queues, um so viel wie möglich im Hintergrund zu verarbeiten und schnelle Antwortzeiten zu gewährleisten. | ||
- [ ] Vergiss nicht den DEBUG Modus zu deaktivieren. | ||
|
||
## Output | ||
- [ ] Send `X-Content-Type-Options: nosniff` header. | ||
- [ ] Send `X-Frame-Options: deny` header. | ||
- [ ] Send `Content-Security-Policy: default-src 'none'` header. | ||
- [ ] Remove fingerprinting headers - `X-Powered-By`, `Server`, `X-AspNet-Version` etc. | ||
- [ ] Force `content-type` for your response, if you return `application/json` then your response `content-type` is `application/json`. | ||
- [ ] Don't return sensitive data like `credentials`, `Passwords`, `security tokens`. | ||
- [ ] Return the proper status code according to the operation completed. (e.g. `200 OK`, `400 Bad Request`, `401 Unauthorized`, `405 Method Not Allowed`, etc). | ||
|
||
## CI & CD | ||
- [ ] Audit your design and implementation with unit/integration tests coverage. | ||
- [ ] Use a code review process and disregard self-approval. | ||
- [ ] Ensure that all components of your services are statically scanned by AV software before push to production, including vendor libraries and other dependencies. | ||
- [ ] Design a rollback solution for deployments. | ||
- [ ] Sende `X-Content-Type-Options: nosniff` im Header. | ||
- [ ] Sende `X-Frame-Options: deny` im Header. | ||
- [ ] Sende `Content-Security-Policy: default-src 'none'` im Header. | ||
- [ ] Entferne Header wie `X-Powered-By`, `Server`, `X-AspNet-Version` etc., um eventuell veraltete Softwareversionen nicht zu verraten. | ||
- [ ] Sende immer einen `Content-Type` bei Antworten. Wenn du ein JSON lieferst gib als `Content-Type` `application/json` an. | ||
- [ ] Gib niemals sensitive Daten zurück wie `Anmeldedaten`, `Passwörter` oder `Sicherheitsschlüssel`. | ||
- [ ] Verwende immer einen passenden HTTP Statuscode je nach Status der Operation (bspw. `200 OK`, `400 Bad Request`, `401 Unauthorized`, `405 Method Not Allowed`, etc.). | ||
|
||
## Kontinuierliche Integration (CI) & Continuous Delivery (CD) | ||
- [ ] Nutze Unit- und Integrationstest und deren Abdeckung (Test Coverage), um deine Implementierungen und Design zu kontrollieren. | ||
- [ ] Nutze einen Code Review Prozess, aber bleib sachlich. | ||
- [ ] Stelle sicher, dass alle verwendeten Komponenten (Bibliotheken und alle anderen Abhängigkeiten) noch einmal statich von einer Anti-Virus Software überprüft wurden bevor diese in die Produktionsumgebung gehen. | ||
- [ ] Stelle sicher, dass du im Fehlerfall auch schnell wieder den vorherigen Stand einspielen kannst (Rollback). | ||
|
||
------------------------------------------------------------------------------ | ||
|
||
# Contribution | ||
Feel free to contribute by forking this repository, making some changes, and submitting pull requests. For any questions drop us an email at `[email protected]`. | ||
Du kannst gerne etwas beisteuern, indem du einen Fork dieses Repositorys erstellst, Änderungen vornimmst und dann einen Pull Request anlegst. Bei Fragen schick uns eine E-Mail an `[email protected]`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.