From 932c814d9f2cd8f77603d05f1a344b79c190bf81 Mon Sep 17 00:00:00 2001 From: sydseter Date: Wed, 2 Jul 2025 16:49:12 +0200 Subject: [PATCH 1/3] #127 SCP [83, 134, 135, 136, 137, 153, 158, 160, 161, 162,] Cornucopia - Communication Security, Data Protection, Access Control --- .../01-define-security-requirements.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md b/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md index 9a354bf8..1ed1f4ef 100644 --- a/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md +++ b/docs/en/04-design/02-web-app-checklist/01-define-security-requirements.md @@ -14,6 +14,21 @@ and use the lists below as suggestions for a checklist that has been tailored fo 5. The security configuration store for the application should be available in human readable form to support auditing 6. Isolate development environments from production and provide access only to authorized development and test groups 7. Implement a software change control system to manage and record changes to the code both in development and production +8. Turn off directory listings +9. Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file, + the X-Robots-Tag response header or a robots html meta tag +10. Disable unnecessary HTTP methods, such as WebDAV extensions. If an extended HTTP method that supports file handling is + required, utilize a well-vetted authentication mechanism +11. Remove unnecessary information from HTTP response headers related to the OS, web-server version and application + frameworks unless implemented to confuse an attacker +12. Ensure the .git, .svn folders or any source control metadata aren't deployed together alongside the application in away + that makes these directly accessible externally or indirectly through the application +13. Do not store passwords, secrets, connection strings, key material, secret management integrations or other sensitive + information in clear text or in any non-cryptographically secure manner on the client, in source code, or build artifacts +14. Remove or restrict access to internal application and system documentation (such as for internal APIs) as this can reveal + backend system or other useful information to attackers +15. Restrict access to files or other resources, including those outside the application's direct control using an allow list + or the equivalent thereof. #### 2. Cryptographic practices From 91b3070f0e66e2cfb2544190c5ca1eaaf3f0b7e7 Mon Sep 17 00:00:00 2001 From: sydseter Date: Wed, 2 Jul 2025 17:02:48 +0200 Subject: [PATCH 2/3] Fixes #127 adding missing words in the wordlist --- .wordlist-en.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 6db16963..80516ad4 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -524,11 +524,12 @@ wstg wtf www xsaero - Roxana Amauri Bizerra Ebihara Yuuki +svn +git BOPLA BOLA From a80ad288d30d0b0c9e9f7201bf984d556e97142e Mon Sep 17 00:00:00 2001 From: sydseter Date: Wed, 2 Jul 2025 17:07:34 +0200 Subject: [PATCH 3/3] Fixes #127 adding missing words in the wordlist --- .wordlist-en.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.wordlist-en.txt b/.wordlist-en.txt index 80516ad4..cc6db5e0 100644 --- a/.wordlist-en.txt +++ b/.wordlist-en.txt @@ -533,3 +533,4 @@ svn git BOPLA BOLA +WebDAV