Architecture
Serve files with specific extensions
Summary The system should only serve files with extensions within a specific list. Description Servers usually host files that are required for their operation or that contain relevant technical information. These files should not be publicly ...
Include HTTP security headers
Summary The system must attach properly-configured HTTP security headers to its requests and responses. Description HTTP security headers can be used to increase the overall security of an application. They are very effective at preventing the ...
Use consistent encoding
Summary System components must use the same encodings and parsers. Description System components use structured messages to communicate with other components. When these messages include input from untrusted sources and this input is not properly ...
Set a rate limit
Summary The server must have a rate limit to control interaction frequency. Description Several attacks depend on executing a huge amount of requests from a single host. For instance, it is possible to exhaust a server's connection pool with a single ...
Protect WSDL files
Summary WSDL files containing sensitive information must not be publicly accessible. Description Some web services architectures require exposing a WSDL file. If this file contains sensitive information, such as deprecated methods or administrative ...
Control redirects
Summary Redirects must be controlled, especially when they depend on external input. Description Systems must guarantee that all redirects lead to a controlled or trusted site. In general, redirects based on input data should be avoided as they could ...
Avoid client-side control enforcement
Summary The system must enforce access controls on trusted enforcement points, which are not on the client's side. Description Systems must enforce access controls on trusted enforcement points, such as access control gateways, servers and serverless ...
Disable insecure functionalities
Summary The organization must disable or carefully control the insecure functions of a system (system hardening). Description Sometimes, platforms include functionalities that are not required or could be harmful for some applications built on top of ...
Set maximum response time
Summary The response time with the maximum expected concurrence must be no more than 5 seconds. Description Response time is a relevant measure of a system's availability and adaptability to stress. It is also important when it comes to usability and ...
Define standard configurations
Summary The organization must define standard configurations that correct all known vulnerabilities. These configurations must also be consistent with industry standards. Description System configuration is essential when it comes to security issues. ...
Store source code in a repository
Summary The organization must store the source code in a central repository. Description Storing the source code in a central repository is a foundational practice in modern software development. It promotes collaboration, version control, backup and ...
Control calls to interpreted code
Summary Interpreted code (e.g., Javascript, CSS) must be loaded from domains controlled by the organization. Description Applications often use resources or have dependencies that are hosted on other servers. These resources should be hosted on ...
Components with minimal dependencies
Summary The components in the source code must have as few dependencies as possible. Description Having as few dependencies as possible is about being mindful of the dependencies that are introduced. It's a balance between modularity, simplicity, and ...