Sunday, October 18, 2009

OWASP TLS Protection Cheat Sheet

I'm now officially launching the OWASP Transport Layer Protection Cheat Sheet. This cheat sheet joins the ranks of other successful OWASP cheat sheets such as the Cross Site Scripting Prevention Cheat Sheet.

The TLS Protection Cheat Sheet provides a quick but detailed explanation of the primary considerations when implementing TLS (e.g. SSL, HTTPS) for your web application.

Here's a taste:
  • Secure Server Design - How to do the login page correctly, Risks of HTTP to HTTPS redirects,"Secure" cookie, HTTPS referrer leakage
  • Server Certificate & Protocol Configuration - TLS vs SSL, Cipher selection, Certificate Authorities
  • FIPS 140-2 - Certified Cryptomodules
  • ...and more

Many thanks to the reviewers (Mike Boberski, Dave Wichers, Tyler Reguly). The cheat sheet wouldn't be where it is today without your help.

If you are attending OWASP AppSec DC I'll be speaking about several of the items within the Secure Server Design section during my power talk : Advanced SSL: The good, the bad, and the ugly.

Twitter? Use #TLSCheatSheet.

-Michael Coates


  1. Michael,

    Check out the Strict-Transport-Security proposal that we recently posted. It helps deal with the user typing in http://site by storing a preference for the user that a given site should always be HTTPS.

  2. This looks great. This is something that has been needed for a long time.


  3. Hello,

    For leveraging traffic from the internet, I have manually collected a list of quality blogs and sites with whom I am interested in getting associated.

    I liked your Site/blog and i'm interested in having my blog's text link in your blog roll or Friends Section.

    To process this link exchange please place my blog on your home page using the
    below info

    Title: Multithreaded TCP Proxy Tunnel


    And send me your link info with confirmation of my link so that I could place
    you link on my blog. We will make link back to you on our home page (PR 5).

    I hope I will hear from you as soon as possible.


Note: Only a member of this blog may post a comment.