← All guides
Testing · 6 min read

Web Application Security Checklist

Most web breaches exploit a small set of recurring weaknesses. This checklist covers the controls that stop them.

FreeGet "Web Application Security Checklist" as a PDF

Plus occasional, practical compliance guidance from our senior auditors. No spam — unsubscribe anytime.

1. Access control

  • Enforce authorisation on every request (object and function level).
  • Deny by default; never trust client-side checks.
  • Test for IDOR/BOLA on all APIs.

2. Input and output

  • Use parameterised queries (no string-built SQL).
  • Encode output to prevent XSS.
  • Validate and sanitise all input server-side.

3. Authentication and sessions

  • Enforce MFA and strong password policies.
  • Secure, short-lived sessions; rotate tokens.
  • Protect against brute force and credential stuffing.

4. Configuration and components

  • Harden servers; remove defaults and verbose errors.
  • Patch and inventory third-party components (SCA).
  • Centralise logging and monitor for attacks.

How CyberSigma helps

Our application security testing verifies each of these against the OWASP ASVS and gives your developers precise, prioritised fixes.

This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.

Turn this guide into a plan

Our CERT-In empanelled auditors can take you from reading about it to certified — with a scoped, guided programme.

Book a consultation →