Level 1 controls
Level 1 contains 128 controls listed below:
02-authentication
01-password-security
- V2.1.1 User set passwords are at least 12 characters in l ...
- V2.1.2 Passwords of at least 64 characters are permitted, ...
- V2.1.3 Password truncation is not performed. however, con ...
- V2.1.4 Any printable unicode character, including languag ...
- V2.1.5 Verify users can change their password. ...
- V2.1.6 Password change functionality requires the user's ...
- V2.1.7 Passwords submitted during account registration, l ...
- V2.1.8 A password strength meter is provided to help user ...
- V2.1.9 There are no password composition rules limiting t ...
- V2.1.10 There are no periodic credential rotation or passw ...
- V2.1.11 "paste" functionality, browser password helpers, a ...
- V2.1.12 The user can choose to either temporarily view the ...
02-general-authenticator-security
- V2.2.1 Anti-automation controls are effective at mitigati ...
- V2.2.2 The use of weak authenticators (such as sms and em ...
- V2.2.3 Secure notifications are sent to users after updat ...
03-authenticator-lifecycle
- V2.3.1 Verify system generated initial passwords or activ ...
05-credential-recovery
- V2.5.1 A system generated initial activation or recovery ...
- V2.5.2 Verify password hints or knowledge-based authentic ...
- V2.5.3 Verify password credential recovery does not revea ...
- V2.5.4 Verify shared or default accounts are not present ...
- V2.5.5 If an authentication factor is changed or replaced ...
- V2.5.6 Verify forgotten password, and other recovery path ...
07-out-of-band-verifier
- V2.7.1 Clear text out of band (nist "restricted") authent ...
- V2.7.2 The out of band verifier expires out of band authe ...
- V2.7.3 The out of band verifier authentication requests, ...
- V2.7.4 The out of band authenticator and verifier communi ...
08-one-time-verifier
- V2.8.1 Time-based otps have a defined lifetime before exp ...
03-session-management
01-fundamental-session-management-security
- V3.1.1 Verify the application never reveals session token ...
02-session-binding
- V3.2.1 Verify the application generates a new session tok ...
- V3.2.2 Session tokens possess at least 64 bits of entropy ...
- V3.2.3 Verify the application only stores session tokens ...
03-session-termination
- V3.3.1 Logout and expiration invalidate the session token ...
- V3.3.2 If authenticators permit users to remain logged in ...
04-cookie-based-session-management
- V3.4.1 Cookie-based session tokens have the 'secure' attr ...
- V3.4.2 Cookie-based session tokens have the 'httponly' at ...
- V3.4.3 Cookie-based session tokens utilize the 'samesite' ...
- V3.4.4 Cookie-based session tokens use the "__host-" pref ...
- V3.4.5 If the application is published under a domain nam ...
07-defenses-against-session-management-exploits
- V3.7.1 Verify the application ensures a full, valid login ...
4-access-control
01-general-access-control-design
- V4.1.1 The application enforces access control rules on a ...
- V4.1.2 All user and data attributes and policy informatio ...
- V4.1.3 The principle of least privilege exists - users sh ...
- V4.1.5 Access controls fail securely including when an ex ...
02-operation-level-access-control
- V4.2.1 Sensitive data and apis are protected against inse ...
- V4.2.2 The application or framework enforces a strong ant ...
03-other-access-control-considerations
- V4.3.1 Verify administrative interfaces use appropriate m ...
- V4.3.2 Directory browsing is disabled unless deliberately ...
05-validation-sanitization-and-encoding
01-input-validation
- V5.1.1 The application has defenses against http paramete ...
- V5.1.2 Frameworks protect against mass parameter assignme ...
- V5.1.3 All input (html form fields, rest requests, url pa ...
- V5.1.4 Structured data is strongly typed and validated ag ...
- V5.1.5 Url redirects and forwards only allow destinations ...
02-sanitization-and-sandboxing
- V5.2.1 All untrusted html input from wysiwyg editors or s ...
- V5.2.2 Unstructured data is sanitized to enforce safety m ...
- V5.2.3 The application sanitizes user input before passin ...
- V5.2.4 The application avoids the use of eval() or other ...
- V5.2.5 The application protects against template injectio ...
- V5.2.6 The application protects against ssrf attacks, by ...
- V5.2.7 The application sanitizes, disables, or sandboxes ...
- 5.2.8 The application sanitizes, disables, or sandboxes ...
03-output-encoding-and-injection-prevention
- V5.3.1 Output encoding is relevant for the interpreter an ...
- V5.3.2 Output encoding preserves the user's chosen charac ...
- V5.3.3 Context-aware, preferably automated - or at worst, ...
- V5.3.4 Data selection or database queries (e.g. sql, hql, ...
- V5.3.5 Where parameterized or safer mechanisms are not pr ...
- V5.3.6 The application protects against json injection at ...
- V5.3.7 The application protects against ldap injection vu ...
- V5.3.8 The application protects against os command inject ...
- V5.3.9 The application protects against local file inclus ...
- V5.3.10 The application protects against xpath injection o ...
05-deserialization-prevention
- V5.5.1 Serialized objects use integrity checks or are enc ...
- V5.5.2 The application correctly restricts xml parsers to ...
- V5.5.3 Deserialization of untrusted data is avoided or is ...
- V5.5.4 When parsing json in browsers or javascript-based ...
06-stored-cryptography
02-algorithms
- V6.2.1 All cryptographic modules fail securely, and error ...
07-error-handling-and-logging
01-log-content
- V7.1.1 The application does not log credentials or paymen ...
- V7.1.2 The application does not log other sensitive data ...
04-error-handling
- V7.4.1 A generic message is shown when an unexpected or s ...
08-data-protection
02-client-side-data-protection
- V8.2.1 Verify the application sets sufficient anti-cachin ...
- V8.2.2 Data stored in browser storage (such as localstora ...
- V8.2.3 Authenticated data is cleared from client storage, ...
03-sensitive-private-data
- V8.3.1 Sensitive data is sent to the server in the http m ...
- V8.3.2 Users have a method to remove or export their data ...
- V8.3.3 Users are provided clear language regarding collec ...
- V8.3.4 All sensitive data created and processed by the ap ...
09-communication
01-client-communication-security
- V9.1.1 Tls is used for all client connectivity, and does ...
- V9.1.2 Verify using up to date tls testing tools that onl ...
- V9.1.3 Only the latest recommended versions of the tls pr ...
10-malicious-code
03-application-integrity
- V10.3.1 If the application has a client or server auto-upd ...
- V10.3.2 The application employs integrity protections, suc ...
- V10.3.3 The application has protection from subdomain take ...
11-business-logic
01-business-logic-security
- V11.1.1 The application will only process business logic f ...
- V11.1.2 The application will only process business logic f ...
- V11.1.3 Verify the application has appropriate limits for ...
- V11.1.4 The application has anti-automation controls to pr ...
- V11.1.5 Verify the application has business logic limits o ...
12-files-and-resources
01-file-upload
- V12.1.1 The application will not accept large files that c ...
03-file-execution
- V12.3.1 User-submitted filename metadata is not used direc ...
- V12.3.2 User-submitted filename metadata is validated or i ...
- V12.3.3 User-submitted filename metadata is validated or i ...
- V12.3.4 The application protects against reflective file d ...
- V12.3.5 Untrusted file metadata is not used directly with ...
04-file-storage
- V12.4.1 Files obtained from untrusted sources are stored o ...
- V12.4.2 Files obtained from untrusted sources are scanned ...
05-file-download
- V12.5.1 The web tier is configured to serve only files wit ...
- V12.5.2 Direct requests to uploaded files will never be ex ...
06-ssrf-protection
- V12.6.1 The web or application server is configured with a ...
13-api-and-web-service
01-generic-web-service-security
- V13.1.1 All application components use the same encodings ...
- V13.1.3 Verify api urls do not expose sensitive informatio ...
02-restful-web-service
- V13.2.1 Enabled restful http methods are a valid choice fo ...
- V13.2.2 Json schema validation is in place and verified be ...
- V13.2.3 Restful web services that utilize cookies are prot ...
03-soap-web-service
- V13.3.1 Xsd schema validation takes place to ensure a prop ...
14-configuration
02-dependency
- V14.2.1 All components are up to date, preferably using a ...
- V14.2.2 All unneeded features, documentation, sample appli ...
- V14.2.3 If application assets, such as javascript librarie ...
03-unintended-security-disclosure
- V14.3.2 Web or application server and application framewor ...
- V14.3.3 The http headers or any part of the http response ...
04-http-security-headers
- V14.4.1 Every http response contains a content-type header ...
- V14.4.2 All api responses contain a content-disposition: a ...
- V14.4.3 A content security policy (csp) response header is ...
- V14.4.4 All responses contain a x-content-type-options: no ...
- V14.4.5 A strict-transport-security header is included on ...
- V14.4.6 A suitable referrer-policy header is included to a ...
- V14.4.7 The content of a web application cannot be embedde ...
