Secure-Code-Review (Part 2)
sanket narawade
π¨βπ» Bugs donβt knockβπ΅οΈββοΈ find them before they break in! πͺπ£
Authentication And Password Management:
Require authentication for all resources except explicitly public ones.
Utilize standard , well trusted authentication service.
Ensure if authentication service fail securely.
Transmit password only over encrypted connections via HTTP POST request .
Enforce password complexity,length and change policies as per regulation.
Implement Multi-Factor-Authentication for High-Risk Accounts.
Notify users Lock Accounts after defined number of failed login attempts.
Require immediate password change for temporary credentials.
Regularly inspect third party authentication code for vulnerability.
Use Email based reset with temporary links and passwords and short expiration periods.
Session Management :
Use server side session management exclusively.
Restrict Cookie domain and path appropriately.
Consistently use HTTPS for all communications.
Terminate session fully after Logout. provide logout functionality on all protected pages.
Disallow persistent login and concurrent login with Same user ID.
Generate new session identifiers after Re-authentication , Periodic intervals or security context change.
Establish short session inactivity timeout.
π§ Think before you commit. π Review before you deploy. π Stay secure.
Thank you π
Subscribe to my newsletter
Read articles from sanket narawade directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by