Last modified: Jan 5, 2023

Code Checklist

Checklist for security OWASP.

Below you find checklists used during coding. Important input have been OWASP Top 10 and CWE Top 25

Backend checklist

1. Are input validated?

Url parametes, post parameters and other that are store or presented in application.

Examples from the Altinn 3 is validaton of file names. used here.

This is related to OWASP Top 10 no 1.

2. Does API requires authenticted user?

All API’s need to require authenticated user or system. For .Net core application this means that it need to have the [Authorize] tag

Example from InstancesController in Storage

[Authorize]
[HttpPost]
[Consumes("application/json")]
[ProducesResponseType(StatusCodes.Status201Created)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[Produces("application/json")]
public async Task<ActionResult<Instance>> Post(string appId, [FromBody] Instance instance)

3. Does API validate correct authorization policy?

For each API the developer needs to identify the correct authorization policy required to be validated.

This could be that read or write access need to be authorized.

Example from InstancesController in Storage

[Authorize(Policy = AuthzConstants.POLICY_INSTANCE_DELETE)]
[HttpDelete("{instanceOwnerPartyId:int}/{instanceGuid:guid}")]
[ProducesResponseType(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status204NoContent)]
[ProducesResponseType(StatusCodes.Status400BadRequest)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
[Produces("application/json")]
public async Task<ActionResult<Instance>> Delete(int instanceOwnerPartyId, Guid instanceGuid, [FromQuery] bool hard)

This is related to OWASP Top 10 no 5. and CWE-862

4. Dont run application with to high priveliges.

Are the docker containers running with the correct priveliges?

securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    allowPrivilegeEscalation: false

Example from Dockerfile

RUN addgroup -g 3000 dotnet && adduser -u 1000 -G dotnet -D -s /bin/false dotnet
USER dotnet
RUN mkdir /tmp/logtelemetry

5. Protect against Cross-site requeste forgery

It is important that every endpoint that is exposed to users validates antiforgery tokens to make sure we protect against Cross-site request forgery.

As part of the platform their has been created a custom authorization filter to protect against CSRF for endpoints beeing access by using cookie or token. This is enabled with using [AutoValidateAntiforgeryTokenIfAuthCookie] on methods or controllers.

Example from datacontroller

[AutoValidateAntiforgeryTokenIfAuthCookie]
[Route("{org}/{app}/instances/{instanceOwnerPartyId:int}/{instanceGuid:guid}/data")]
public class DataController : ControllerBase

Frontend