Epic #51
Updated by rashmita rout about 1 month ago
1. Clickjacking:-
Preventing the browser from loading the page in frame using
the X-Frame-Options or Content Security Policy (frameancestors) HTTP headers.
2. Clear text password submission:-
Ensure that user passwords are never transmitted, processed, or stored in cleartext by enforcing strong cryptographic hashing, encrypted transport, and secure cookie handling
3. Improper Error handling:-
Prevent leakage of internal system details through error messages.
customizing error messages with limited information strikes a balance between informing users about issues and maintaining a user-friendly interface, all while safeguarding sensitive technical details.
Disabling or limiting detailed error handling involves configuring a system to refrain from displaying intricate technical information, such as debug information, stack traces, or file paths, to end users.
4. Lack Of Security Header:-
Implement security headers such as X-XSS-Protection,
Content-Security-Policy, Referrer Policy, X-Content-TypeOptions, Permiss+D6+D32
5. Server Banner disclouser:-
Hide Server version details as they should not be displayed in
the application response.
Additionally, remove X-Powered by header as it discloses the
software or technology that the server is running.
6. Prevent Unauthorized access to pages-Protected Routes.
Only authorized users can access protected pages
Unauthorized users are blocked or redirected
Protection exists at UI routing + backend API level
No sensitive content is exposed via direct URL, cache, or browser history
7.Enforce Safe UI Behavior.
When a user opens the app for the first time or without explicit permission, the UI should:
Start in least-privileged state
Require explicit user action to enable access
Hide or disable sensitive features
8. Prevent duplicate actions-Form submission control
When a form is submitted:
The Submit button becomes disabled
Only one API request is sent
Duplicate submissions are prevented
Button re-enables only after response