OWASP ASVS Level 1 baseline

---
template: true
about: A condensed checklist based on the OWASP Application Security Verification Standard (ASVS) Level 1 — the minimum bar every application should meet. Suitable for first-pass verification or external black-box testing.
---

# OWASP ASVS Level 1 baseline

## Architecture and design

- [ ] All app components have a defined trust boundary and threat model
- [ ] All sensitive data flows are documented and reviewed
- [ ] High-value business logic has documented abuse cases
- [ ] Security requirements are written into user stories and acceptance criteria

## Authentication

- [ ] All non-public pages require authentication
- [ ] Passwords have a minimum length of 12 characters and no maximum below 64
- [ ] Passwords are checked against a breached-password list
- [ ] Failed login attempts are rate-limited or progressively delayed
- [ ] Authentication errors give no hint about which factor failed
- [ ] Multi-factor authentication is offered for all users

## Session management

- [ ] Session tokens are generated by a vetted framework, not hand-rolled
- [ ] Session tokens are at least 128 bits of entropy
- [ ] Sessions expire after a defined idle and absolute timeout
- [ ] Logout invalidates the session on the server
- [ ] Session cookies have `Secure`, `HttpOnly`, and `SameSite` set

## Access control

- [ ] Access control is enforced server-side on every request
- [ ] The principle of least privilege is applied to all roles
- [ ] Direct object references are checked against the requesting user
- [ ] Administrative functions require step-up authentication
- [ ] Access control failures are logged

## Input validation and encoding

- [ ] All input is validated server-side against an allow-list
- [ ] Untrusted output is contextually encoded for HTML, JS, URL, and SQL
- [ ] All database access uses parameterized queries
- [ ] Uploaded files are validated for type, size, and content
- [ ] Untrusted URLs are validated before being followed (SSRF)

## Cryptography

- [ ] All traffic is served over TLS 1.2 or higher
- [ ] HSTS is enabled with a long max-age
- [ ] Passwords are hashed with a strong adaptive function (bcrypt/scrypt/Argon2)
- [ ] Secrets are stored in a secrets manager, not source code
- [ ] Random values for tokens, IDs, and salts use a CSPRNG

## Error handling and logging

- [ ] Errors do not leak stack traces, paths, or query details to users
- [ ] Security-relevant events are logged with timestamp and identity
- [ ] Logs do not contain passwords, tokens, or full payment card numbers
- [ ] Time sources used for logs are synchronized (NTP)

## Data protection

- [ ] Sensitive data is classified and minimized at collection
- [ ] Sensitive responses set `Cache-Control: no-store`
- [ ] Personal data has a defined retention period and deletion path
- [ ] Backups containing personal data are encrypted

## Communications

- [ ] Server certificates are valid, in-date, and from a trusted CA
- [ ] Weak ciphers and protocols (SSLv3, TLS 1.0/1.1, RC4, 3DES) are disabled
- [ ] Internal service-to-service traffic is also encrypted

## Configuration

- [ ] Default and sample accounts are removed before production
- [ ] Debug, trace, and admin endpoints are disabled in production
- [ ] Security headers (CSP, X-Content-Type-Options, Referrer-Policy) are set
- [ ] Dependencies are kept current and scanned for known CVEs
- [ ] CI/CD pipelines block deploys on critical security findings