Web Application Security Checklist by probely

Uncategorized

The checklist

General security

  •  I use prepared statements in SQL queries
  •  I do not concatenate any other input data to SQL queries other than the bound parameters
  •  I validate all input data server-side
  •  I encode all input data before sending the response to the browser
  •  I have disabled directory listing in the web server
  •  I include a CSRF token in requests that change state (or I use the SameSite cookie attribute for the session cookie)
  •  I do not show errors with stack traces, source code, full paths or any other internal data.
  •  I verify the content type of uploaded files and delete the bad ones
  •  If I handle XML files, I disabled external entity and DTD processing
  •  I use HTTPS and I send the Strict-Transport-Security header
  •  I only accept TLS 1.2 or higher
  •  I set the Secure, HttpOnly and SameSite=lax attributes in session cookies
  •  I set the Secure attribute in all other cookies, and if possible HttpOnly also
  •  All 3rd-party JavaScript libraries that my app uses, are updated to the latest version

    I have a login feature and cannot use an already existent service:
  •  I store passwords using a strong cryptographic function (scrypt, argon2, bcrypt, or PBKDF2)
  •  I ask for the current password to set a new password, email or any other information used in the password reset process
  •  I only accept passwords longer than 12 chars and reject common passwords (top 1000)
  •  I support multi-factor authentication
  •  I limit the number of attempts to endpoints such as login, password reset and 2FA validation
  •  I use the language libraries to create and validate JSON Web Tokens (JWT)
  •  I destroy the session server-side and invalidate the matching JSON Web Token (JWT) when the user logs out
  •  I destroy the password reset token after it is used and after a pre-defined time
  • version 1.1

Read more at

https://github.com/Probely/security_checklist

https://www.probely.com

Real IP on nginx with Cloudflare

CloudFlare, nginx

Create the following file

/etc/nginx/cloudflare

with the following content

# Cloudflare IP addresses
# sources
# https://www.cloudflare.com/ips-v4/
# https://www.cloudflare.com/ips-v6/
#
# IPv4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;

# IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;

The on /etc/nginx/nginx.conf inside http{….}

include /etc/nginx/cloudflare;

Test nginx configurations with nginx -t and if successful stop & start nginx.

Tengine

nginx

Tengine is a web server originated by Taobao, the largest e-commerce website in Asia. It is based on the Nginx HTTP server and has many advanced features. Tengine has proven to be very stable and efficient on some of the top 100 websites in the world, including Taobao.comTmall.comYoukuAliExpressLazada and Alibaba Cloud.

  • All features of nginx-1.24.0 are inherited, i.e., it is 100% compatible with nginx.
  • Dynamically reconfigure the servers, locations and upstreams without reloading or restarting worker processes with tengine-ingress.
  • HTTP/3 support (QUIC v1 and draft-29) with xquic.
  • High-speed UDP transmission with kernel-bypass.
  • Dynamically reconfigure routing based on standard and custom HTTP headers, header value, and weights with tengine-ingress.
  • Dynamically reconfigure timeout setting, SSL Redirects, CORS and enabling/disabling robots for the server and location with tengine-ingress.
  • Support the CONNECT HTTP method for forward proxy.
  • Support asynchronous OpenSSL, using hardware such as QAT for HTTPS acceleration.
  • Enhanced operations monitoring, such as asynchronous log & rollback, DNS caching, memory usage, etc.
  • Support server_name in Stream module.
  • More load balancing methods, e.g., consistent hashing, and session persistence.
  • Input body filter support. It’s quite handy to write Web Application Firewalls using this mechanism.
  • Dynamic scripting language (Lua) support, which is very efficient and makes it easy to extend core functionalities.
  • Limits retries for upstream servers (proxy, memcached, fastcgi, scgi, uwsgi).
  • Includes a mechanism to support standalone processes.
  • Protects the server in case system load or memory use goes too high.
  • Multiple CSS or JavaScript requests can be combined into one request to reduce download time.
  • Removes unnecessary white spaces and comments to reduce the size of a page.
  • Proactive health checks of upstream servers can be performed.
  • The number of worker processes and CPU affinities can be set automatically.
  • The limit_req module is enhanced with whitelist support and more conditions are allowed in a single location.
  • Enhanced diagnostic information makes it easier to troubleshoot errors.
  • More user-friendly command lines, e.g., showing all compiled-in modules and supported directives.
  • Expiration times can be specified for certain MIME types.

https://giter.vip/alibaba/tengine

Admin\WcPayWelcomePage’ not found

Wordpress 

Warning: Class 'Automattic\WooCommerce\Internal\Admin\WcPayWelcomePage' not found in /home/group/public_html/domain.pt/wp-content/plugins/woocommerce/src/Admin/Features/Features.php on line 377

Parse error: syntax error, unexpected ')' in /home/group/public_html/domain.pt/wp-content/plugins/woocommerce/src/Internal/Admin/WcPayWelcomePage.php on line 322

Try to rename woocommerce folder.
Login to wp-admin and update woocommerce, then undo the rename and reactive woocommerce.