Security Checklist
- Shivprasad Dhakane
Requirements |
|
|---|---|
TLS version 1.2 (or higher) are required. TLS version 1.2 using AES 256 encryption or higher with SHA-256 MAC is recommended. |
|
HSTS must be enabled with a minimum age of at least one year |
|
The application must disable caching on all HTTPS pages that contain sensitive data by using no-cache and no-store instead of private in the Cache-Control header |
|
Your DNS configuration for subdomains must point to services that are in use |
|
The application must authenticate and authorize all requests. Anonymous access to application endpoints and resources can be allowed in scenarios where it is needed. |
|
The application must not store or log password in plain text anywhere in application or outside |
|
The application must set HttpOnly and Secure when sending Set-Cookie headers for session-related cookies. |
|
The application must implement the Referrer-Policy header. The header must not be configured to no-referrer-when-downgrade or unsafe-url. |
|
The application must not use versions of third-party libraries and dependencies with known vulnerabilities of high or critical severity. | Verify third party libs for reported vulnerabilities |
https://www.ssllabs.com/ssltest - report | https://www.ssllabs.com/ssltest/analyze.html?d=upraise.app&s=35.181.18.79&hideResults=on 
|
https://securityheaders.com report | https://securityheaders.com/?followRedirects=on&q=upraise.app 
|
https://observatory.mozilla.org report
|