cheatsheetseries.owasp.org
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-17.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-17 2026 | SAML Security (OWASP Cheat Sheet)AuthN | Cheatsheet detailing Security Assertion Markup Language (SAML) security, focusing on the Web Browser SSO Profile with Redirect/POST bindings. It addresses message confidentiality and integrity via TLS 1.2, digital signatures, and XML encryption to counter eavesdropping, theft, and modification. The guide emphasizes validating protocol usage, referencing the Google SSO vulnerability, and securing signatures against XML Signature Wrapping attacks. It also covers binding implementations, security countermeasures like IP filtering and short lifetimes, and considerations for unsolicited responses and IdP-initiated SSO, identifying attacks such as Man-in-the-middle, Stolen Assertion, and Replay. |
| 2026-04-11 2026 | Authorization Testing Automation Cheat Sheet - OWASPAuthZ | Cheat sheet offering a methodology for automating authorization tests by formalizing an authorization matrix in XML. This approach enables the creation of integration tests that validate access controls for REST services across different logical roles like ANONYMOUS, BASIC, and ADMIN. The process involves defining roles, services with their associated permissions, and test payloads to ensure new feature additions or modifications do not conflict with existing authorization definitions. |
| 2026-04-11 2026 | Access Control Cheat Sheet - OWASPAuthZ | Access Control Cheat Sheet - OWASP |
| 2026-04-11 2026 | Authorization Cheat Sheet - OWASPAuthZ | Cheatsheet providing guidance for robust authorization logic, addressing concerns like Broken Access Control, a top OWASP 2021 vulnerability. It details implementing "Least Privileges" by granting only necessary permissions and adopting a "Deny by Default" approach for all requests, emphasizing the need for validation on every interaction to prevent unauthorized access to resources, which can impact confidentiality, integrity, and availability. |
| 2026-04-11 2026 | OWASP Credential Stuffing Prevention Cheat SheetAuthN | Library from OWASP offering a comprehensive cheatsheet for defending against credential stuffing and password spraying attacks. It emphasizes Multi-Factor Authentication (MFA) as the primary defense, detailing tiered implementations and risk-based MFA triggers. For scenarios where MFA isn't feasible, it outlines alternative layered defenses including secondary passwords, CAPTCHAs, and advanced IP mitigation strategies that consider IP classification and geographic origin. The cheatsheet also touches upon device fingerprinting and the importance of defense-in-depth with robust metric collection. |
| 2026-04-11 2026 | OWASP LLM Prompt Injection Prevention Cheat SheetAI | Reference LLM Prompt Injection Prevention Cheat Sheet detailing vulnerabilities in Large Language Model applications. It covers direct and indirect prompt injection, encoding and obfuscation techniques like Base64 and Unicode smuggling, and typoglycemia-based attacks. The resource also discusses jailbreaking methods such as DAN prompts, multi-turn attacks, system prompt extraction, data exfiltration, multimodal injection, RAG poisoning, and agent-specific attacks. Defenses include input validation and sanitization, with code examples for pattern matching and fuzzy matching against typoglycemia variants. |
| 2026-04-10 2026 | OWASP Session Management Cheat SheetAuthN | Reference for OWASP Session Management covering secure generation of session IDs with sufficient entropy (at least 64 bits) and appropriate length to prevent brute-force guessing attacks. It also details avoiding predictable session ID content that could lead to information disclosure and recommends generic session ID names to prevent fingerprinting of web application technologies like PHP, J2EE, and ASP.NET. |
| 2026-04-10 2026 | OWASP Authentication Cheat SheetAuthN | Cheatsheet detailing secure authentication practices, covering user ID generation, username policies, password strength enforcement (including length and character set recommendations, blocking breached passwords via services like Pwned Passwords, and utilizing libraries like zxcvbn-ts), secure password storage and comparison, password recovery mechanisms, and the imperative of transmitting credentials exclusively over TLS. It also emphasizes re-authentication for sensitive actions to prevent CSRF and session hijacking. |
| 2026-04-10 2026 | OWASP JSON Web Token for Java Cheat SheetJWT | Cheat sheet addressing common security pitfalls when implementing JSON Web Tokens (JWT) in Java applications. It details how to prevent the "none" hashing algorithm vulnerability by explicitly specifying expected algorithms during token verification. It also offers strategies to mitigate token sidejacking by incorporating a hardened, secure cookie with a hashed user fingerprint into the token validation process. |
| 2026-04-10 2026 | IDOR Prevention Cheat SheetIDOR | Cheatsheet detailing Insecure Direct Object Reference (IDOR) prevention techniques. It explains how IDOR vulnerabilities arise from missing access control checks, allowing attackers to manipulate identifiers in URLs or POST bodies to access unauthorized data. The guide recommends implementing server-side access control for every object, using complex identifiers as a secondary defense, and determining the authenticated user from session information rather than exposed parameters. It provides code examples, such as in Ruby on Rails, demonstrating how to securely scope object lookups to the current user's accessible datasets. |
| 2026-04-10 2026 | OWASP Deserialization Cheat SheetDeser | Reference for safely deserializing untrusted data, this OWASP cheat sheet details vulnerabilities and mitigation techniques across PHP, Python, and Java. It covers identifying insecure usage of functions like `unserialize()` and `pickle.loads()`, and advises on hardening Java's `ObjectInputStream` through subclassing or agents, mentioning libraries like SerialKiller and NibbleSec. The guide emphasizes using safe interchange formats like JSON and protecting sensitive data by declaring fields as `transient`. |
| 2026-04-03 2026 | Cross-Site Request Forgery Prevention Cheat Sheet | OWASPCSRF | Library: OWASP Cross-Site Request Forgery Prevention Cheat Sheet. This resource details Cross-Site Request Forgery (CSRF) attacks, where attackers trick users' browsers into performing unwanted actions on trusted sites. It recommends defenses including framework-built-in protection, synchronizer tokens for stateful applications, and double submit cookies for stateless applications. Techniques like Fetch Metadata headers, SameSite cookie attributes, and user interaction-based protection are also discussed, alongside the crucial understanding that Cross-Site Scripting (XSS) can undermine CSRF mitigations. |
| 2026-04-03 2026 | GraphQL Cheat Sheet | OWASPGraphQL | Cheatsheet from OWASP detailing security considerations for GraphQL APIs. It addresses common vulnerabilities like injection, DoS, and authorization abuse. The guide emphasizes strict input validation, disabling insecure defaults (introspection, excessive errors), and implementing query depth and amount limiting. It also covers preventing DoS through timeouts, query cost analysis, and rate limiting, with specific recommendations and examples for various implementations, including graphql-java and JavaScript. |
| 2026-04-03 2026 | Secrets Management - OWASP Cheat Sheet SeriesSecrets | Cheatsheet outlining best practices for secrets management, crucial for DevOps environments. It covers high availability, centralization and standardization of secret storage, fine-grained access control based on the Least Privilege principle, and automation of secret management through pipelines, dynamic secrets, and automated rotation. Architectural patterns are illustrated with examples like Kubernetes sidecar containers for HashiCorp Vault and serverless functions for AWS Secrets Manager. |
| 2025-08-14 2025 | XML External Entity Prevention ยท OWASP Cheat Sheet SeriesXXE | Library that guides developers in preventing XML External Entity (XXE) injection vulnerabilities, a common OWASP Top 10 threat. It details specific configurations for various XML parsers across languages like Java (JAXP, DOM4J), C++ (libxml2, libxerces-c), and ColdFusion (Adobe, Lucee), emphasizing the critical need to disable DOCTYPE declarations and external entity loading to mitigate risks like SSRF and denial-of-service attacks. |
| 2025-08-14 2025 | Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdfSSRF | The content is a document titled "Server_Side_Request_Forgery_Prevention_Cheat_Sheet_SSRF_Bible.pdf." It likely contains information and guidelines on preventing server-side request forgery (SSRF) attacks. SSRF is a vulnerability where an attacker can manipulate a server into making unintended requests on their behalf. The document may provide cheat sheets or best practices to help developers protect their systems from SSRF attacks. It could be a valuable resource for understanding and mitigating this security risk. |
| 2025-08-14 2025 | Server Side Request Forgery Prevention - OWASP Cheat Sheet SeriesSSRF | Library of OWASP's Server-Side Request Forgery Prevention Cheat Sheet addresses strategies for defending against SSRF attacks, particularly when applications must interact with external or internal services. It details defensive measures focusing on input validation, employable at both application and network layers. The sheet advocates for an allowlist approach when handling user-provided URLs, IP addresses, domain names, or strings, referencing techniques discussed by researcher Orange Tsai and considering potential bypasses through various encodings and DNS pinning. It also touches on preventing XXE exploitation which can facilitate SSRF. |
| 2021-10-25 2021 | HTTP HeadersAPI Sec | Cheatsheet detailing security-focused HTTP headers like X-Frame-Options, Content Security Policy (CSP) frame-ancestors, X-Content-Type-Options, Referrer-Policy, Strict-Transport-Security (HSTS), and recommendations for their configuration to prevent vulnerabilities such as Cross-Site Scripting and Clickjacking. It also covers other headers including X-XSS-Protection, Content-Type, Cache-Control, Set-Cookie, and Access-Control-Allow-Origin, highlighting their roles in enhancing web application security. |