Secure Coding Principles
To be updated
Input Validation
Conduct all data validation on a trusted system (RETURN from the backend server), and untrusted data sources
Validate all untrusted client-provided data before processing, including all parameters, URLs, and HTTP header content (e.g. Cookie names and values), and also automated postbacks from JavaScript
Validate for expected data types, data range, and data length
Validate all input in the white list approach
Specify handle the following characters
hazardous characters
null bytes (%00)
new line characters (%0d, %0a, \r, \n)
“dot-dot-slash" (../ or ..\) path alterations characters.
Alternate representation like: %c0%ae%c0%ae/
Implement a centralized input validation routine
Specify the defined character set e.g. UTF-8 for all input source
Encode data to defined character set before validation
Verify the HTTP header values
Validate data from redirects
Output Encoding
Utilize a standard and centralized outbound encoding to the presentation layer
Sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
Authentication and Password Management
Require authentication for all pages and resources (hidden the URL is not secure)
All authentication controls must be enforced on a trusted system (backend server)
Use a centralized implementation for all authentication controls
All authentication controls should follow fail secure principle
Password hashing must be implemented
Session Management
Access Control
Cryptographic Practices
Error Handling and Logging
Data Protection
Communication Security
System Configuration
Database Security
File Management
Memory Management
General Coding Practices
Last updated