Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Ecommerce Security CheckList section #49

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 60 additions & 59 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,66 +13,67 @@ Our detailed explanations should help the first type while we hope our checklist
### Contents

1. [The Security Checklist](security-checklist.md)
2. [What can go wrong?](what-can-go-wrong.md)
3. [Securely transporting stuff: HTTPS explained](https.md)
4. Authentication: I am who I say I am
4.1 Form based authentication
4.2 Basic authentication
4.3 One is not enough, 2 factor, 3 factor, ....
4.4 Why use insecure text messages? Introducing HOTP & TOTP
4.5 Handling password resets
5. Authorization: What am I allowed to do?
5.1 Token based Authorization
5.2 OAuth & OAuth2
5.3 JWT
6. Data Validation and Sanitation: Never trust user input
6.1 Validating and Sanitizing Inputs
6.2 Sanitizing Outputs
6.3 Cross Site Scripting
6.4 Injection Attacks
6.5 User uploads
6.6 Tamper-proof user inputs
7. Plaintext != Encoding != Encryption != Hashing
7.1 Common encoding schemes
7.2 Encryption
1. [Ecommerce Security CheckList](https://github.com/IamHDT/Ecommerce-Website-Security-CheckList)
3. [What can go wrong?](what-can-go-wrong.md)
4. [Securely transporting stuff: HTTPS explained](https.md)
5. Authentication: I am who I say I am
5.1 Form based authentication
5.2 Basic authentication
5.3 One is not enough, 2 factor, 3 factor, ....
5.4 Why use insecure text messages? Introducing HOTP & TOTP
5.5 Handling password resets
6. Authorization: What am I allowed to do?
6.1 Token based Authorization
6.2 OAuth & OAuth2
6.3 JWT
7. Data Validation and Sanitation: Never trust user input
7.1 Validating and Sanitizing Inputs
7.2 Sanitizing Outputs
7.3 Cross Site Scripting
7.4 Injection Attacks
7.5 User uploads
7.6 Tamper-proof user inputs
8. Plaintext != Encoding != Encryption != Hashing
8.1 Common encoding schemes
8.2 Encryption
7.3 Hashing & One way functions
7.4 Hashing speeds cheatsheet
8. Passwords: dadada, 123456 and cute@123
8.1 Password policies
8.2 Storing passwords
8.3 Life without passwords
9. Public Key Cryptography
10. Sessions: Remember me, please
10.1 Where to save state?
10.2 Invalidating sessions
10.3 Cookie monster & you
11. Fixing security, one header at a time
11.1 Secure web headers
11.2 Data integrity check for 3rd party code
11.3 Certificate Pinning
12. Configuration mistakes
12.1 Provisioning in cloud: Ports, Shodan & AWS
12.2 Honey, you left the debug mode on
12.3 Logging (or not logging)
12.4 Monitoring
12.5 Principle of least privilege
12.6 Rate limiting & Captchas
12.7 Storing project secrets and passwords in a file
12.8 DNS: Of subdomains and forgotten pet-projects
12.9 Patching & Updates
13. Attacks: When the bad guys arrive
13.1 Clickjacking
13.2 Cross Site Request Forgery
13.3 Denial of Service
13.4 Server Side Request Forgery
14. [Stats about vulnerabilities discovered in Internet Companies](vulnerabilities-stats.md)
15. On reinventing the wheel, and making it square
15.1 Security libraries and packages for Python
15.2 Security libraries and packages for Node/JS
15.3 Learning resources
16. Maintaining a good security hygiene
17. Security Vs Usability
18. Back to Square 1: The Security Checklist explained
8.4 Hashing speeds cheatsheet
9. Passwords: dadada, 123456 and cute@123
9.1 Password policies
9.2 Storing passwords
9.3 Life without passwords
10. Public Key Cryptography
11. Sessions: Remember me, please
11.1 Where to save state?
11.2 Invalidating sessions
11.3 Cookie monster & you
12. Fixing security, one header at a time
12.1 Secure web headers
12.2 Data integrity check for 3rd party code
12.3 Certificate Pinning
13. Configuration mistakes
13.1 Provisioning in cloud: Ports, Shodan & AWS
13.2 Honey, you left the debug mode on
13.3 Logging (or not logging)
13.4 Monitoring
13.5 Principle of least privilege
13.6 Rate limiting & Captchas
13.7 Storing project secrets and passwords in a file
13.8 DNS: Of subdomains and forgotten pet-projects
13.9 Patching & Updates
14. Attacks: When the bad guys arrive
14.1 Clickjacking
14.2 Cross Site Request Forgery
14.3 Denial of Service
14.4 Server Side Request Forgery
15. [Stats about vulnerabilities discovered in Internet Companies](vulnerabilities-stats.md)
16. On reinventing the wheel, and making it square
16.1 Security libraries and packages for Python
16.2 Security libraries and packages for Node/JS
16.3 Learning resources
17. Maintaining a good security hygiene
18. Security Vs Usability
19. Back to Square 1: The Security Checklist explained



Expand Down