ASVS Index¶

Table of Contents¶

Objective
V1: Encoding and Sanitization
V2: Validation and Business Logic
V3: Web Frontend Security
V4: API and Web Service
V5: File Handling
V6: Authentication
V7: Session Management
V8: Authorization
V9: Self-contained Tokens
- V9.1 Token source and integrity
- V9.2 Token content
V10: OAuth and OIDC
V11: Cryptography
V12: Secure Communication
V13: Configuration
V14: Data Protection
V15: Secure Coding and Architecture
V16: Security Logging and Error Handling
V17: WebRTC

Objective¶

The objective of this index is to help an OWASP Application Security Verification Standard (ASVS) user clearly identify which cheat sheets are useful for each section during his or her usage of the ASVS.

ASVS Index¶

Table of Contents¶

Objective¶

V1: Encoding and Sanitization¶

V1.1 Encoding and Sanitization Architecture¶

V1.2 Injection Prevention¶

V1.3 Sanitization¶

V1.4 Memory, String, and Unmanaged Code¶

V1.5 Safe Deserialization¶

V2: Validation and Business Logic¶

V2.1 Validation and Business Logic Documentation¶

V2.2 Input Validation¶

V2.3 Business Logic Security¶

V2.4 Anti-automation¶

V3: Web Frontend Security¶

V3.1 Web Frontend Security Documentation¶

V3.2 Unintended Content Interpretation¶

V3.3 Cookie Setup¶

V3.4 Browser Security Mechanism Headers¶

V3.5 Browser Origin Separation¶

V3.6 External Resource Integrity¶

V3.7 Other Browser Security Considerations¶

V4: API and Web Service¶

V4.1 Generic Web Service Security¶

V4.2 HTTP Message Structure Validation¶

V4.3 GraphQL¶

V4.4 WebSocket¶

V5: File Handling¶

V5.1 File Handling Documentation¶

V5.2 File Upload and Content¶

V5.3 File Storage¶

V5.4 File Download¶

V6: Authentication¶

V6.1 Authentication Documentation¶

V6.2 Password Security¶

V6.3 General Authentication Security¶

V6.4 Authentication Factor Lifecycle and Recovery¶

V6.5 General Multi-factor authentication requirements¶

V6.6 Out-of-Band authentication mechanisms¶

V6.7 Cryptographic authentication mechanism¶

V6.8 Authentication with an Identity Provider¶

V7: Session Management¶

V7.1 Session Management Documentation¶

V7.2 Fundamental Session Management Security¶

V7.3 Session Timeout¶

V7.4 Session Termination¶

V7.5 Defenses Against Session Abuse¶

V7.6 Federated Re-authentication¶

V8: Authorization¶

V8.1 Authorization Documentation¶

V8.2 General Authorization Design¶

V8.3 Operation Level Authorization¶

V8.4 Other Authorization Considerations¶

V9: Self-contained Tokens¶

V9.1 Token source and integrity¶

V9.2 Token content¶

V10: OAuth and OIDC¶

V10.1 Generic OAuth and OIDC Security¶

V10.2 OAuth Client¶

V10.3 OAuth Resource Server¶

V10.4 OAuth Authorization Server¶

V10.5 OIDC Client¶

V10.6 OpenID Provider¶

V10.7 Consent Management¶

V11: Cryptography¶

V11.1 Cryptographic Inventory and Documentation¶

V11.2 Secure Cryptography Implementation¶

V11.3 Encryption Algorithms¶

V11.4 Hashing and Hash-based Functions¶

V11.5 Random Values¶

V11.6 Public Key Cryptography¶

V11.7 In-Use Data Cryptography¶

V12: Secure Communication¶

V12.1 General TLS Security Guidance¶

V12.2 HTTPS Communication with External Facing Services¶

V12.3 General Service to Service Communication Security¶

V13: Configuration¶

V13.1 Configuration Documentation¶

V13.2 Backend Communication Configuration¶

V13.3 Secret Management¶