Criteria | Files | Knowledge Base

Files
Use octet stream downloads
Summary The system should download files coming from untrusted sources, such as user-uploaded files, using octet stream downloads. Description User-uploaded files should generally be considered to be untrusted input. If the appropriate Content ...
Avoid storing sensitive files in the web root
Summary The system should store neither user-uploaded files nor files containing sensitive information in the web root. Description The web root is the topmost directory on a web server. If there is no sufficient access control, any file in this ...
Manage the integrity of critical files
Summary The system must verify and log changes in the integrity of critical system files. Description The integrity of critical files needs to be safeguarded against malicious tampering or unauthorized modifications. If an attacker successfully ...
Remove metadata when sharing files
Summary The organization must remove file metadata before sharing it or making it public. Description Metadata includes different data such as the user's name, document properties, editing history, and comments. This metadata can inadvertently reveal ...
Define an explicit charset
Summary All system files generated dynamically must have an explicitly defined character set (charset). Description This control refers on specifying the character set used for encoding text in files that are dynamically generated by a system. It is ...
Define an explicit content type
Summary All system files generated dynamically must have an explicitly defined content type. Description This configuration ensures that the appropriate content type is included in the HTTP response headers when the file is served. Programming ...
Validate file format
Summary The system must only accept files whose format (structure) is required by the business operation. Description Enforcing the acceptance of files with the required format is a fundamental security and operational practice. It protects the ...
Scan files for malicious code
Summary The system must validate that the content of the files transferred to it is free of malicious code. Description This refers to a cybersecurity control that involves implementing mechanisms to regularly inspect files for the presence of ...
Compare file format and extension
Summary The system must validate that the format (structure) of the files corresponds to their extension. Description This is a security measure that can be useful for validating the integrity and authenticity of files in a system or application. ...
Define maximum file size
Summary The files manipulated by the system and the users must have a defined maximum file size (5MB recommended). Description When a system allows users to upload or attach files for storage, the maximum file size limit must be defined for these ...
Parameters without sensitive data
Summary The system must not allow parameter inclusion in directory names or file paths. Description A system must not allow the inclusion of directory names or files paths in its parameters. By tampering the fields associated with these parameters, ...
Do not deploy temporary files
Summary The system must not deploy temporary files to production environments. Description Temporary files, at production scale, can have a hugely negative impact. Clearing out this files, no mater where they are located, is a good practice. ...

Criteria | Files | Knowledge Base

Files

Use octet stream downloads

Avoid storing sensitive files in the web root

Manage the integrity of critical files

Remove metadata when sharing files

Define an explicit charset

Define an explicit content type

Validate file format

Scan files for malicious code

Compare file format and extension

Define maximum file size

Parameters without sensitive data

Do not deploy temporary files