Business Case | Description |
---|---|
Company and Industry | PawTalk Inc. - Education |
Solution Requirements | The web application must be developed using secure coding practices. |
Compliance Requirements | Create, read, update, and delete (CRUD) functionality must be implemented in the web application, and both the user and admin pages need to acknowledge policy and security. |
Quality of Service Requirements | Availability: The service of the web application must only be accessible to Nationalian admin and users. Reliability: The service of the web application must be responsive to mobile and desktop devices without errors. Reliability: The service of the web application must be responsive to mobile and desktop devices without errors. |
Assets | Files: HTML, CSS, and JavaScript Database: PHP Other assets: Images, logo, and contents |
Security Objective | To develop a safe web application for users to post comments without being vulnerable to threats. |
☑️ Require password combination (Sign Up)
☑️ Require email validation (Sign Up)
☑️ Require value input (Sign Up)
☑️ Confirm password match authentication (Sign Up)
☑️ No email repetition (Sign Up)
☑️ No username repetition (Sign Up)
☑️ Validate user input (Sin In)
☑️ Validate if user exists.
☑️ Validate if user or admin (Sign In)
☑️ Password authentication (Sign In)
☑️ Username and email validation (Sign In)
☑️ Admin and User Session
☑️ Users can post content during their session
☑️ Reflection of current user in the session
☑️ Admin and User Access
☑️ Only logged in users are eligible to post content
☑️ Hashed user and admin password in the database
☑️ Sign-Up forms data error handling
☑️ Login and access attempts
☑️ Login error handling
Alert Name | Recommended Web Security Hardening Technique |
---|---|
Cross-Site Scripting | Disable Trace HTTP Request Enable/Disable Mod Security Modules X-XSS Protection |
Parameter Tampering | Restrict IP Access |
Server Leaks Information via “X-Powered by” HTTP Responsive Header Set | Set Cookie with HttpOnly and Secure Flag |
Content Security Policy (CSP) Header Not Set | Disable ETag |
Missing Anti-clickjacking Header, X-Content-TypeOptions Header Missing | Avoid Clickjacking Attack |