Web Application Security Checklist

HTTPS (Browser Security Certificate)

  • Is there a certificate (HTTPS)? No. Set it up!
  • Advantages:
  • Disadvantages:
    • None


HTTP Headers

  • CSP (content-security-policy)



HTTP Cookies

  • SameSite: SameSite cookies let servers require that a cookie shouldn’t be sent with cross-site requests, which somewhat protects against cross-site request forgery attacks (CSRF). SameSite cookies are still experimental and not yet supported by all browsers.
  • HttpOnly: cookie attribute can help to mitigate an XSS attack by preventing access to tje cookie value through JavaScript.
  • Secure: Tells the browser to use a secure protocol (HTTPS) for sending the cookie to the server.



HSTS (HTTP Strict Transport Security)




XSS (Cross Site Scripting)



CSRF (Cross-Site Request Forgery)



Sub-Resource Integrity (SRI)



SQLI (SQL Injection)



Brute Force Attacks



Account Enumeration



Resource Enumeration