Secure Coding Principles

To be updated

Input Validation

  1. Conduct all data validation on a trusted system (RETURN from the backend server), and untrusted data sources

  2. Validate all untrusted client-provided data before processing, including all parameters, URLs, and HTTP header content (e.g. Cookie names and values), and also automated postbacks from JavaScript

  3. Validate for expected data types, data range, and data length

  4. Validate all input in the white list approach

  5. Specify handle the following characters

  • hazardous characters

  • null bytes (%00)

  • new line characters (%0d, %0a, \r, \n)

  • “dot-dot-slash" (../ or ..\) path alterations characters.

  • Alternate representation like: %c0%ae%c0%ae/

  1. Implement a centralized input validation routine

  2. Specify the defined character set e.g. UTF-8 for all input source

  3. Encode data to defined character set before validation

  4. Verify the HTTP header values

  5. Validate data from redirects

Output Encoding

  1. Utilize a standard and centralized outbound encoding to the presentation layer

  2. Sanitize all output of un-trusted data to queries for SQL, XML, and LDAP

Authentication and Password Management

  1. Require authentication for all pages and resources (hidden the URL is not secure)

  2. All authentication controls must be enforced on a trusted system (backend server)

  3. Use a centralized implementation for all authentication controls

  4. All authentication controls should follow fail secure principle

  5. Password hashing must be implemented

Session Management

Access Control

Cryptographic Practices

Error Handling and Logging

Data Protection

Communication Security

System Configuration

Database Security

File Management

Memory Management

General Coding Practices

Last updated