Posts

Showing posts from March, 2018

Security-Guide-For-Developers | Security Checklist

Safety Checklist Authority System (Registration/Registration/Secondary Verification/Password Reset) Use HTTPS everywhere. Use Bcrypt to store password hash (necessary to use salt - this is what Bcrypt does). Destroy the session ID after logging out. Destroy all active sessions after password reset. OAuth2 authentication must include the state parameter. After the login is successful, it cannot be directly redirected to the open path (need to check, otherwise it is easy to have a phishing attack). Parses javascript://, data://, and other CRLF characters when parsing user login/login input. Use secure/httpOnly cookies. When OTP authentication is used on the mobile device, OTP (One Time Password) cannot be returned directly when the generate OTP or Resend OTP API is invoked. (usually by sending a mobile phone to verify SMS, mailbox random code, etc., instead of direct response) Limit the number of API calls such as Login, Verify OTP, Resend OTP, and generate OTP for i