SANS SWAT Checklist
Error handling & logging
Display generic error messages.
No unhandled exceptions.
Suppress framework-generated errors.
Log all authentication activities.
Log all privilege changes.
Log administrative activities.
Log access to sensitive data.
Do not log inappropriate data.
Store logs securely.
Data protection
Use SSL everywhere.
Disable HTTP access for all SSL-enabled resources.
Use the strict-Transport-security header.
Store user passwords using a strong, iterative, salted hash.
Securely exchange encryption keys.
Disable weak SSL ciphers on servers.
Use valid SSL certificates from a reputable CA.
Disable data caching using cache control headers and autocomplete.
Limit the use and storage of sensitive data.
Configuration and operations
Establish a rigorous change management process.
Define security requirements.
Conduct a design review.
Perform code reviews.
Perform security testing.
Harden the infrastructure.
Define an incident handling plan.
Educate the team on security.
Authentication
Don't hardcode credentials.
Develop a strong password reset system Implement a strong password policy.
Implement account lockout against brute force attacks.
Don't disclose too much information in error messages.
Store database credentials securely.
Applications and Middleware should run with minimal privileges.
Session management
Ensure that session identifiers are sufficiently random.
Regenerate session tokens.
Implement an idle session timeout.
Implement an absolute session timeout.
Destroy sessions at any sign of tampering.
Invalidate the session after logout.
Place a logout button on every page.
Use secure cookie attributes (i.e. httponly and secure flags).
Set the cookie domain and path correctly.
Set the cookie expiration time.
Input & output handling
Conduct contextual output encoding.
Prefer “whitelists over blacklists”.
Use parameterized SQL queries.
Use tokens to prevent forged requests.
Set the encoding for your application.
Validate uploaded files.
Use the nosniff header for uploaded content.
Validate the source of input.
Use the X-frame-options header.
Use content security Policy (csP) or X-Xss-Protection headers.
Access control
Apply access control checks consistently.
Apply the principle of least privilege.
Don’t use direct object references for access control checks.
Don’t use unvalidated forwards or redirects.
Last updated