OWASP secure coding practices

---
template: true
about: A condensed checklist based on the OWASP Secure Coding Practices Quick Reference Guide. Use this during code review or as a pre-commit gate for security-sensitive changes.
---

# OWASP secure coding practices

## Input validation

- [ ] Conduct all input validation on a trusted system (server-side)
- [ ] Identify all data sources and classify them as trusted or untrusted
- [ ] Validate data against an allow-list of expected types and ranges
- [ ] Reject input that fails validation rather than attempting to sanitize it
- [ ] Validate for expected character set and encoding
- [ ] Validate uploaded files for type, size, and content
- [ ] Specify a single canonical character set (UTF-8) for all input

## Output encoding

- [ ] Conduct all output encoding on a trusted system (server-side)
- [ ] Use a standard, tested routine for each type of outbound encoding
- [ ] Contextually output encode all data returned to the client
- [ ] Encode all characters with values less than 256 unless known safe
- [ ] Sanitize output for use in SQL, XML, LDAP, and OS commands

## Authentication and password management

- [ ] Require authentication for all pages except those intentionally public
- [ ] Enforce all authentication controls on a trusted system
- [ ] Use a centralized authentication service across the application
- [ ] Use strong, salted, adaptive hashing (bcrypt, Argon2) for stored passwords
- [ ] Disable accounts after an established number of invalid login attempts
- [ ] Notify users when a password reset occurs
- [ ] Re-authenticate users prior to performing critical operations

## Session management

- [ ] Use the framework's built-in session management controls
- [ ] Generate a new session identifier on login and re-authentication
- [ ] Set the secure, HttpOnly, and SameSite attributes on session cookies
- [ ] Set logical session timeouts and absolute timeouts
- [ ] Invalidate the session on logout (server-side)
- [ ] Do not expose session identifiers in URLs, logs, or error messages

## Access control

- [ ] Use only trusted system objects to make access authorization decisions
- [ ] Enforce access controls server-side on every request
- [ ] Deny access by default; fail securely
- [ ] Restrict access to protected URLs, functions, files, and services
- [ ] Limit the number of transactions a single user can perform in a given time
- [ ] Re-check authorization periodically during long-running sessions

## Cryptographic practices

- [ ] Protect secrets, keys, and certificates from unauthorized access
- [ ] Use cryptographic modules from approved, well-maintained libraries
- [ ] Use a cryptographically strong random number generator
- [ ] Define a policy and process for cryptographic key management
- [ ] Establish key rotation procedures and follow them

## Error handling and logging

- [ ] Do not disclose sensitive information in error responses (stack traces, queries)
- [ ] Use generic error messages and custom error pages
- [ ] Release allocated resources in finally blocks even on error
- [ ] Restrict access to logs to authorized individuals only
- [ ] Log all authentication attempts, access control failures, and validation failures
- [ ] Do not log sensitive data (passwords, tokens, PII) in plain text
- [ ] Use a master routine for all logging operations

## Data protection

- [ ] Implement least privilege — restrict users to required functionality and data
- [ ] Protect server-side source code from being downloaded by users
- [ ] Do not store passwords, connection strings, or sensitive data in clear text
- [ ] Remove comments containing sensitive information from production code
- [ ] Disable client-side caching on pages with sensitive data
- [ ] Encrypt highly sensitive stored data (PII, financial records, health records)

## Communication security

- [ ] Implement TLS for every connection that transmits sensitive information
- [ ] Use TLS for connections to external systems involving sensitive data
- [ ] Ensure TLS certificates are valid, not expired, and from a trusted CA
- [ ] Disable failed TLS connections rather than falling back to insecure protocols
- [ ] Specify character encodings for all connections

## System configuration

- [ ] Ensure servers, frameworks, and components run the latest approved version
- [ ] Remove all unnecessary functionality and files
- [ ] Remove test code or any unintended functionality before deployment
- [ ] Define which HTTP methods (GET, POST) are allowed for each resource
- [ ] Disable HTTP methods (TRACE, OPTIONS) that are not required
- [ ] Set security headers (CSP, X-Content-Type-Options, Referrer-Policy)