Copy du contenu d'une page de
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Yannick Francois 98ecff16ed Start a securitychecklist project ? 5 years ago Start a securitychecklist project ? 5 years ago

Secutiry Checklist

Base on

Is the website only served over https?


$ curl -s -I | grep '^HTTP'
HTTP/1.1 301 Moved Permanently
$ curl -s -I | grep '^HTTP'
HTTP/1.1 200 OK

Is the HSTS http-header set?


$ curl -s -I | grep '^Strict'
Strict-Transport-Security: max-age=63072000; includeSubdomains;

Is the server certificate at least 4096 bits?


$ openssl s_client -showcerts -connect |& grep '^Server public key'
Server public key is 4096 bit

Is TLS1.2 the only supported protocol?


$ curl --sslv3
curl: (35) Server aborted the SSL handshake
$ curl --tlsv1.0 -I
curl: (35) Server aborted the SSL handshake
$ curl --tlsv1.1 -I
curl: (35) Server aborted the SSL handshake
$ curl --tlsv1.2 -s -I | grep 'HTTP'
HTTP/1.1 200 OK

Do all supported symmetric ciphers use at least 256 bit keys?


$ nmap --script ssl-enum-ciphers -p 443
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Is the Diffie-Hellman prime at least 4096 bits?


$ openssl s_client -connect -cipher "EDH" |& grep "^Server Temp Key"
Server Temp Key: DH, 4096 bits

Have you ensured that your content cannot be embedded in a frame on another website?


$ curl -s -I | grep '^X-Frame-Options'
X-Frame-Options: SAMEORIGIN
$ curl -s -I | grep '^X-Frame-Options' 
X-Frame-Options: DENY # Also acceptable

Have you ensured that the Internet Explorer content sniffer is disabled?


$ curl -s -I | grep '^X-Content'
X-Content-Type-Options: nosniff

Do all assets delivered via a content delivery network include subresource integrity hashes?


<link rel="stylesheet" href="" integrity="sha384-y3tfxAZXuh4HwSYylfB+J125MxIs6mR5FOHamPBG064zB+AFeWH94NdvaCBm8qnd" crossorigin="anonymous">

Are password entropy checks done during user sign-up, using, say AUTH_PASSWORD_VALIDATORS ?

Are you storing only the hash of your users password, and not the cleartext password, using (say) PBKDF?

Are failed login attempts throttled and IP addresses banned after a number of unsuccessful attempts, using (say) django-axes?

Are you using fail2ban to throttle ssh login attempts?


sudo fail2ban-client status sshd

Have you disabled password-based login over ssh, and only allowed key-based login?


$ cat /etc/ssh/sshd_config  | grep '^Password'
PasswordAuthentication no

Do session cookies have the ‘Secure’ and ‘HttpOnly’ flag set?


$ curl -s -I | grep '^Set-Cookie'
Set-Cookie: ****;Path=/;Expires=Fri, 16-Mar-2018 19:18:51 GMT;Secure;HttpOnly;Priority=HIGH


$ curl -s -I | grep '^Set-Cookie'
Set-Cookie: csrftoken=*****************; expires=Thu, 16-Mar-2017 01:26:03 GMT;Secure;HttpOnly; Max-Age=31449600; Path=/

Are all user uploads validated for expected content type?

Are the permissions of all uploaded files readonly?

Are all form fields (with the exception of password fields) validated with a restrictive regex?

Are there unit tests (say, using Selenium) which show that one authenticated user cannot access another user’s content?

Have you made sure that database passwords, server signing keys, and hash salts are not checked into source control?

Do you have an account recovery flow? Delete it immediately.