OWASP Top 10 web application security risks

---
template: true
about: The OWASP Top 10 (2021) — the most critical security risks to web applications. Use this checklist to review an application against each category.
---

# OWASP Top 10 web application security risks

## A01 Broken access control

- [ ] Deny access by default, except for public resources
- [ ] Enforce access control checks server-side, never client-side
- [ ] Use a single, reusable access control mechanism across the app
- [ ] Verify ownership before allowing record access (no IDOR)
- [ ] Disable directory listing on the web server
- [ ] Log access control failures and alert on repeated failures
- [ ] Rate-limit API and controller access to slow automated attacks
- [ ] Invalidate session tokens on the server after logout

## A02 Cryptographic failures

- [ ] Classify data and identify what requires encryption at rest or in transit
- [ ] Do not store sensitive data unnecessarily; discard as soon as possible
- [ ] Encrypt all data in transit with TLS and HSTS
- [ ] Use strong, current, standard algorithms and key lengths
- [ ] Store passwords with a strong adaptive hash (bcrypt, scrypt, Argon2)
- [ ] Use authenticated encryption (AEAD) instead of plain encryption
- [ ] Rotate keys and avoid hard-coded secrets in source code
- [ ] Disable caching of responses containing sensitive data

## A03 Injection

- [ ] Use parameterized queries or an ORM for all database access
- [ ] Validate input against an allow-list (server-side)
- [ ] Escape output for the relevant context (HTML, JS, SQL, shell)
- [ ] Use LIMIT clauses to reduce mass disclosure on injection
- [ ] Avoid dynamic OS command execution; if required, use safe APIs
- [ ] Review use of NoSQL, LDAP, XPath, and template engines for injection

## A04 Insecure design

- [ ] Establish a secure development lifecycle with security experts
- [ ] Use threat modeling for critical authentication, access control, and business logic flows
- [ ] Integrate security language and controls into user stories
- [ ] Write unit and integration tests for failure scenarios, not only success
- [ ] Segregate tier and tenant boundaries with clear trust zones
- [ ] Limit resource consumption per user or service

## A05 Security misconfiguration

- [ ] Use a repeatable hardening process for all environments
- [ ] Remove unused features, components, documentation, and sample apps
- [ ] Review and update configurations as part of the patch process
- [ ] Use a segmented application architecture
- [ ] Send security directives to clients (security headers)
- [ ] Run automated configuration verification in all environments

## A06 Vulnerable and outdated components

- [ ] Maintain an inventory of client- and server-side components and versions
- [ ] Monitor sources like CVE and NVD for component vulnerabilities
- [ ] Subscribe to email alerts for security vulnerabilities of components used
- [ ] Obtain components only from official sources over secure links
- [ ] Remove unused dependencies, unnecessary features, files, and documentation
- [ ] Patch or upgrade vulnerable components promptly

## A07 Identification and authentication failures

- [ ] Implement multi-factor authentication where possible
- [ ] Do not ship with default credentials, especially for admin accounts
- [ ] Check passwords against lists of known weak or breached passwords
- [ ] Align password length, complexity, and rotation policies with NIST 800-63b
- [ ] Use the same messages for all authentication outcomes to avoid enumeration
- [ ] Limit or increasingly delay failed login attempts
- [ ] Use a server-side, secure, built-in session manager

## A08 Software and data integrity failures

- [ ] Use digital signatures to verify software and data come from the expected source
- [ ] Ensure libraries and dependencies are from trusted repositories
- [ ] Use a software composition analysis (SCA) tool in CI/CD
- [ ] Review code and configuration changes to minimize malicious code
- [ ] Ensure CI/CD pipelines have proper segregation, configuration, and access control
- [ ] Do not send unsigned or unencrypted serialized data to untrusted clients

## A09 Security logging and monitoring failures

- [ ] Log all login, access control, and server-side input validation failures
- [ ] Ensure logs are generated in a format consumable by log management tools
- [ ] Encode log data correctly to prevent injections or attacks on the logging system
- [ ] Ensure high-value transactions have an audit trail with integrity controls
- [ ] DevSecOps teams establish effective monitoring and alerting
- [ ] Establish or adopt an incident response and recovery plan

## A10 Server-side request forgery (SSRF)

- [ ] Segment remote resource access functionality in separate networks
- [ ] Enforce "deny by default" firewall policies to block all but essential intranet traffic
- [ ] Sanitize and validate all client-supplied input data
- [ ] Enforce URL schema, port, and destination with a positive allow-list
- [ ] Do not send raw responses to clients
- [ ] Disable HTTP redirections in the SSRF-vulnerable component