Secure Programming Best Practices

Actionable security checklists organized by OWASP Top 10 (2021) categories. Each item links to the relevant OWASP Cheat Sheet for detailed guidance.

How to Use

1. Identify which categories are relevant to the code being written or reviewed
2. Walk through the checklist items in this document for those categories
3. Consult the reference index below to find relevant ASVS chapters and cheat sheets by topic
4. Search local references for specific requirements — use Grep on references/ for keywords, ASVS IDs (V1, V1.2, V1.2.4), or topic terms. Never read entire files — search and read only matching sections with context (30–50 lines).
5. Use search_standards MCP tool (if available) to query coding and security standards beyond local references.
6. Fetch OWASP cheat sheets for implementation detail when local references aren't enough. Fetch the linked URL for every relevant checklist item.
7. For framework-specific guidance, see the Framework-Specific Security section and read or fetch the corresponding cheat sheet
8. Always include OWASP cheat sheet URLs and ASVS requirement IDs in your output

Local Reference Index

ASVS 5.0 — references/OWASP_Application_Security_Verification_Standard_5.0.0_en.csv CSV columns: chapter_id,chapter_name,section_id,section_name,req_id,req_description,level (L1=basic, L2=standard, L3=advanced)

ID	Chapter	Key sections
V1	Encoding and Sanitization	V1.1 Architecture, V1.2 Injection Prevention, V1.3 Sanitization, V1.4 Memory, V1.5 Safe Deserialization
V2	Validation and Business Logic	V2.2 Input Validation, V2.3 Business Logic, V2.4 Anti-automation
V3	Web Frontend Security	V3.2 Content Interpretation, V3.3 Cookie Setup, V3.4 Browser Headers, V3.5 Origin Separation, V3.6 Resource Integrity
V4	API and Web Service	V4.1 Generic Web Service, V4.2 HTTP Message Validation, V4.3 GraphQL, V4.4 WebSocket
V5	File Handling	V5.2 Upload and Content, V5.3 Storage, V5.4 Download
V6	Authentication	V6.2 Password, V6.3 General Auth, V6.4 Factor Lifecycle, V6.5 MFA, V6.6 Out-of-Band, V6.7 Cryptographic, V6.8 IdP
V7	Session Management	V7.2 Fundamental, V7.3 Timeout, V7.4 Termination, V7.5 Session Abuse, V7.6 Federated Re-auth
V8	Authorization	V8.2 General Design, V8.3 Operation Level, V8.4 Other
V9	Self-contained Tokens	V9.1 Source and Integrity, V9.2 Content
V10	OAuth and OIDC	V10.1 Generic, V10.2 Client, V10.3 Resource Server, V10.4 Auth Server, V10.5 OIDC Client, V10.6 OpenID Provider
V11	Cryptography	V11.2 Implementation, V11.3 Algorithms, V11.4 Hashing, V11.5 Random Values, V11.6 Public Key, V11.7 In-Use Data
V12	Secure Communication	V12.1 TLS Guidance, V12.2 HTTPS External, V12.3 Service-to-Service
V13	Configuration	V13.2 Backend Communication, V13.3 Secret Management, V13.4 Information Leakage
V14	Data Protection	V14.2 General, V14.3 Client-side
V15	Secure Coding and Architecture	V15.2 Dependencies, V15.3 Defensive Coding, V15.4 Concurrency
V16	Security Logging and Error Handling	V16.2 General Logging, V16.3 Security Events, V16.4 Log Protection, V16.5 Error Handling
V17	WebRTC	V17.1 TURN Server, V17.2 Media, V17.3 Signaling

Cheat Sheets (109 files) — references/cheatsheets/<Topic>_Cheat_Sheet.md

Category	Topics (filename prefixes)
Access Control	Access_Control, Authorization, Authorization_Testing_Automation, Insecure_Direct_Object_Reference_Prevention, Multi_Tenant_Security, Transaction_Authorization
Authentication	Authentication, Credential_Stuffing_Prevention, Forgot_Password, Multifactor_Authentication, Password_Storage, Choosing_and_Using_Security_Questions, SAML_Security, OAuth2, JAAS
Sessions and Cookies	Session_Management, Cookie_Theft_Mitigation
Tokens	JSON_Web_Token_for_Java
Injection	Input_Validation, SQL_Injection_Prevention, Query_Parameterization, OS_Command_Injection_Defense, LDAP_Injection_Prevention, Injection_Prevention, Injection_Prevention_in_Java, NoSQL_Security
XSS and Frontend	Cross_Site_Scripting_Prevention, DOM_based_XSS_Prevention, DOM_Clobbering_Prevention, Content_Security_Policy, Prototype_Pollution_Prevention, XSS_Filter_Evasion, XS_Leaks, Clickjacking_Defense, Securing_Cascading_Style_Sheets, HTML5_Security, AJAX_Security, Browser_Extension_Vulnerabilities
CSRF and SSRF	Cross-Site_Request_Forgery_Prevention, Server_Side_Request_Forgery_Prevention, Unvalidated_Redirects_and_Forwards
Cryptography and TLS	Cryptographic_Storage, Key_Management, Transport_Layer_Security, Transport_Layer_Protection, TLS_Cipher_String, HTTP_Strict_Transport_Security, Pinning
API Security	REST_Security, REST_Assessment, GraphQL, gRPC_Security, WebSocket_Security, Web_Service_Security
Data Integrity	Deserialization, Mass_Assignment, File_Upload, Bean_Validation
Secrets and Config	Secrets_Management, HTTP_Headers, PHP_Configuration, Database_Security
Logging and Errors	Logging, Logging_Vocabulary, Error_Handling
Infrastructure	Docker_Security, Kubernetes_Security, Infrastructure_as_Code_Security, CI_CD_Security, Network_Segmentation, Secure_Cloud_Architecture, Serverless_FaaS_Security, Zero_Trust_Architecture
Supply Chain	Vulnerable_Dependency_Management, Dependency_Graph_SBOM, NPM_Security, Software_Supply_Chain_Security, Third_Party_Javascript_Management
AI and LLM	AI_Agent_Security, LLM_Prompt_Injection_Prevention, Secure_AI_Model_Ops
Design and Architecture	Threat_Modeling, Abuse_Case, Attack_Surface_Analysis, Secure_Product_Design, Secure_Code_Review, Legacy_Application_Management, Virtual_Patching, Vulnerability_Disclosure, User_Privacy_Protection, Denial_of_Service
Mobile and IoT	Mobile_Application_Security, Automotive_Security, Drone_Security
Frameworks	Django_Security, Django_REST_Framework, Laravel, Symfony, Ruby_on_Rails, Nodejs_Security, NodeJS_Docker, DotNet_Security, Java_Security, C-Based_Toolchain_Hardening
Payments and Microservices	Third_Party_Payment_Gateway_Integration, Microservices_Security, Microservices_based_Security_Arch_Doc

Language-Specific Security Patterns — references/<language>-security-patterns.md

File	Covers
python-security-patterns.md	Injection, deserialization, SSRF, supply chain, XML/XXE, async
rust-security-patterns.md	Unsafe soundness, FFI, async/concurrency, supply chain, archive traversal
go-security-patterns.md	Parsing footguns, concurrency, SSRF, template injection, supply chain
typescript-security-patterns.md	Prototype pollution, XSS/DOM, SSRF, supply chain, type coercion

Each file includes language-specific security scanner recommendations.

Searching References

Use Grep on references/ for keywords or IDs. Use Read with offset/limit for targeted sections. Fall back to web fetch from https://cheatsheetseries.owasp.org/cheatsheets/ if local content is insufficient.

---

A01: Broken Access Control

• Deny access by default; require explicit grants (Access Control)
• Enforce authorization server-side; never rely on client-side checks (Authorization)
• Use indirect object references or validate ownership before returning resources (IDOR Prevention)
• Apply rate limiting and account lockout to prevent brute-force
• Log all access control failures and alert on repeated attempts
• Invalidate sessions and tokens on logout and password change (Session Management)
• Validate CORS configuration; avoid Access-Control-Allow-Origin: * for authenticated endpoints (HTTP Headers)
• For multi-tenant systems, enforce tenant isolation at every data access layer (Multi-Tenant Security)

A02: Cryptographic Failures

• Use TLS 1.2+ for all data in transit; disable older protocols (TLS)
• Enable HSTS with includeSubDomains and adequate max-age (HSTS)
• Use strong, modern algorithms (AES-256-GCM, ChaCha20-Poly1305); avoid DES, RC4, MD5, SHA-1 (Cryptographic Storage)
• Store passwords with Argon2id, bcrypt, or scrypt — never plain hashes (Password Storage)
• Manage secrets through a vault or environment variables; never hardcode (Secrets Management)
• Rotate keys on a defined schedule; support key versioning (Key Management)

A03: Injection

• Validate all input: type, length, range, format; use allowlists over denylists (Input Validation)
• Use parameterized queries or prepared statements for all SQL (SQL Injection Prevention, Query Parameterization)
• Context-escape all output: HTML-encode for HTML, JS-encode for JavaScript, URL-encode for URLs (XSS Prevention, DOM-based XSS Prevention)
• Avoid OS command execution; if unavoidable, use strict allowlists and no shell interpolation (OS Command Injection Defense)
• Sanitize LDAP input using established escape functions (LDAP Injection Prevention)
• Deploy Content Security Policy to mitigate XSS impact (CSP)
• Prevent DOM clobbering by avoiding document.getElementById on user-controllable IDs (DOM Clobbering Prevention)
• Guard against prototype pollution in JavaScript by freezing prototypes or using Object.create(null) (Prototype Pollution Prevention)

A04: Insecure Design

• Perform threat modeling early in the design phase (Threat Modeling)
• Identify and document abuse cases alongside use cases (Abuse Case)
• Analyze and minimize the attack surface for each feature (Attack Surface Analysis)
• Follow secure product design principles: least privilege, defense in depth, fail secure (Secure Product Design)

A05: Security Misconfiguration

• Disable unnecessary features, ports, services, and default accounts
• Harden Docker containers: non-root user, read-only filesystem, minimal base image (Docker Security)
• Apply Kubernetes security best practices: pod security policies, network policies, RBAC (Kubernetes Security)
• Scan IaC templates for misconfigurations before deployment (IaC Security)
• Disable XML external entity processing in all XML parsers (XXE Prevention)
• Set security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, etc. (HTTP Headers)
• Secure CI/CD pipelines: least-privilege tokens, signed artifacts, audit logs (CI/CD Security)

A06: Vulnerable and Outdated Components

• Maintain an inventory of all dependencies and their versions (Dependency Graph / SBOM)
• Continuously scan dependencies for known vulnerabilities (Vulnerable Dependency Management)
• Audit third-party JavaScript for integrity and behavior (Third Party JS Management)
• Use lockfiles and verify package integrity hashes (NPM Security)
• Review supply chain security practices for critical dependencies (Software Supply Chain Security)

A07: Identification and Authentication Failures

• Enforce minimum password complexity and check against breached password lists (Authentication)
• Implement MFA for privileged and sensitive operations (MFA)
• Generate session IDs server-side with high entropy; regenerate after authentication (Session Management)
• Secure password reset flows: time-limited tokens, side-channel verification (Forgot Password)
• Prevent credential stuffing with rate limiting, CAPTCHA, and device fingerprinting (Credential Stuffing Prevention)
• Implement OAuth 2.0 with PKCE for public clients (OAuth 2.0)
• Set cookie attributes: Secure, HttpOnly, SameSite, proper Path and Domain (Cookie Theft Mitigation)

A08: Software and Data Integrity Failures

• Never deserialize untrusted data; if required, validate schema and use safe libraries (Deserialization)
• Protect against mass assignment: explicitly allowlist assignable fields (Mass Assignment)
• Validate file uploads: check type via magic bytes (not just extension or Content-Type header), enforce size limits, and re-encode/re-process content to strip metadata and neutralize polyglots. Store outside webroot with random names. Explicitly reject dangerous types: SVG (can contain embedded JavaScript), HTML, executable files (.exe, .sh, .bat), and server-side scripts (.php, .jsp). (File Upload)
• Verify integrity of software artifacts with checksums and signatures

A09: Security Logging and Monitoring Failures

• Log authentication events, access control failures, input validation failures, and application errors (Logging)
• Use consistent log format and vocabulary for automated analysis (Logging Vocabulary)
• Never log sensitive data: passwords, tokens, PII, credit card numbers
• Return generic error messages to users; log detailed errors server-side (Error Handling)
• Set up alerts for anomalous patterns: brute force, privilege escalation, unusual data access

A10: Server-Side Request Forgery (SSRF)

• Validate and sanitize all user-supplied URLs (SSRF Prevention)
• Use allowlists for permitted domains and protocols
• Block requests to internal/private IP ranges (127.0.0.0/8, 10.0.0.0/8, 169.254.0.0/16, etc.)
• Disable unnecessary URL schemes (file://, gopher://, ftp://)
• Run server-side HTTP clients in network-restricted environments when possible

---

API Security

• Authenticate and authorize every API request (REST Security)
• Validate request content types and reject unexpected media types
• Apply rate limiting and request size limits
• For GraphQL: limit query depth and complexity; disable introspection in production (GraphQL)
• For gRPC: use TLS, validate protobuf messages, implement interceptor-based auth (gRPC Security)
• For WebSockets: validate origin, authenticate the handshake, validate all messages (WebSocket Security)
• Prevent CSRF with synchronizer tokens or SameSite cookies (CSRF Prevention)
• Validate redirect URLs against an allowlist (Unvalidated Redirects)

AI and LLM Security

• Validate and sanitize all LLM inputs and outputs (LLM Prompt Injection Prevention)
• Apply least privilege to AI agent tool access and actions (AI Agent Security)
• Secure model serving infrastructure: access controls, input limits, monitoring (Secure AI Model Ops)

Framework-Specific Security

When working with a specific framework, consult the relevant cheat sheet for framework-specific pitfalls and mitigations:

Framework	Cheat Sheet
Django	Django Security, Django REST Framework
Laravel	Laravel
Symfony	Symfony
Ruby on Rails	Ruby on Rails
Node.js	Node.js Security, Node.js Docker
.NET	.NET Security
Java	Java Security, Injection Prevention in Java
C/C++	C-Based Toolchain Hardening

Additional References

For topics not covered above, browse the full index: OWASP Cheat Sheet Series Index