Professional Documents
Culture Documents
escaped where used. malicious content. Users are warned about etc.).
Input data is validated. Application uses a
\0 (null) is discarded in input. malware scanner (if req.).
obvious password recovery Suhosin is installed or you
Length of input is bounded. Uploaded HTML files are
questions. are not using rand() or
Email addresses are validated. displayed securely.
Account recovery forms do
mt_rand() for this.
Application is aware of small, Uploaded files are not moved
not reveal email existence.
Pages that send emails are
Anything that consumes a
lot of resources should be
very large, zero, and negative to a web-accessible directory. throttled and limited.
throttled.
numbers. Sci. notation too. Extensive path checks are
Application checks for used when serving files. SESSIONS
Pages that use 3rd-party
APIs are throttled.
invisible, look-alike, and Uploaded files are not served
Sessions only use cookies. You did not create your own
combinining characters. with include().
Unicode control characters Uploaded files are served (session.use_only_cookies)
encryption algorithm.
stripped out when required. as an attachment using the On logout, session data is Arguments to external
Outputted data is sanitized. Content-Disposition header. destroyed.
programs (i.e. exec()) are
User-inputted HTML is Application sends the Session is recreated on
validated.
Generic internal and external
santized with HTMLPurifier. authorization level change.
Sites on the same server use
X-Content-Type-Options:
User-inputted CSS is nosniff header.
redirect pages are secured.
Precautions taken against
sanitized using a white-list. Files are not served as different session storage dirs.
Abusable properties application/octet-stream,
the source code of your PHP
pages being shown due to
(position, margin, etc.) are application/unknown, or 3RD-PARTIES
misconfiguration.
handled. plain/text unless necessary. CSRF issues are prevented
CSS escape sequences are with tokens/keys.
Configuration and critical files
are not in a web-accessible
handled. DATABASE Referrers are not relied
JavaScript in CSS is
Data inserted into the upon.
directory.
discarded (expressions,
database is properly escaped Pages that perform SHARED HOSTING
behaviors, bindings). actions use POST.
URLs are sanitized and
or parameterized/prepared
statements are used. Important pages (logout, Using a secure shared host
unknown and unwanted
addslashes() is not used. etc.) are protected. where users cannot access
protocols are disallowed.
Your pages are not written
the files of other users.
Embedded plugins are
Application does not have
more privileges to the in a way (i.e. JSON, JS-like) Aware that fellow shared
restricted from executing JS. where they can be included hosting users:
Embedded plugin files (Flash
database than necessary.
Remote connections to the and read on a remote website Can, if on the same IP
movies) are embedded in successfully. address, issue requests
database are disabled if they
a manner so that only the
are unnecessary. Aware that Flash can bypass against your site with
XMLHttpRequest in IE6.
intended plugin is loaded. referrer checks to load images
The application uses a safe SERVING FILES and sound files. Can access your website