Comment on page
Secure Coding Principles
To be updated
- 1.Conduct all data validation on a trusted system (RETURN from the backend server), and untrusted data sources
- 2.Validate all untrusted client-provided data before processing, including all parameters, URLs, and HTTP header content (e.g. Cookie names and values), and also automated postbacks from JavaScript
- 3.Validate for expected data types, data range, and data length
- 4.Validate all input in the white list approach
- 5.Specify handle the following characters
hazardous characters null bytes (%00) new line characters (%0d, %0a, \r, \n) “dot-dot-slash" (../ or ..\) path alterations characters. Alternate representation like: %c0%ae%c0%ae/
- 1.Implement a centralized input validation routine
- 2.Specify the defined character set e.g. UTF-8 for all input source
- 3.Encode data to defined character set before validation
- 4.Verify the HTTP header values
- 5.Validate data from redirects
- 1.Utilize a standard and centralized outbound encoding to the presentation layer
- 2.Sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
- 1.Require authentication for all pages and resources (hidden the URL is not secure)
- 2.All authentication controls must be enforced on a trusted system (backend server)
- 3.Use a centralized implementation for all authentication controls
- 4.All authentication controls should follow fail secure principle
- 5.Password hashing must be implemented
Last modified 8mo ago