OWASP ASVS Requirements v5.0

V1.1 - Encoding and Sanitization Architecture 2 requirements

V1.2 - Injection Prevention 10 requirements

V1.3 - Sanitization 12 requirements

V1.4 - Memory, String, and Unmanaged Code 3 requirements

V1.5 - Safe Deserialization 3 requirements

V2.1 - Validation and Business Logic Documentation 3 requirements

V2.2 - Input Validation 3 requirements

V2.3 - Business Logic Security 5 requirements

V2.4 - Anti-automation 2 requirements

V3.1 - Web Frontend Security Documentation 1 requirements

V3.2 - Unintended Content Interpretation 3 requirements

V3.3 - Cookie Setup 5 requirements

V3.4 - Browser Security Mechanism Headers 8 requirements

V3.5 - Browser Origin Separation 8 requirements

V3.6 - External Resource Integrity 1 requirements

V3.7 - Other Browser Security Considerations 5 requirements

V4.1 - Generic Web Service Security 5 requirements

V4.2 - HTTP Message Structure Validation 5 requirements

V4.3 - GraphQL 2 requirements

V4.4 - WebSocket 4 requirements

V5.1 - File Handling Documentation 1 requirements

V5.2 - File Upload and Content 6 requirements

V5.3 - File Storage 3 requirements

V5.4 - File Download 3 requirements

V6.1 - Authentication Documentation 3 requirements

V6.2 - Password Security 12 requirements

V6.3 - General Authentication Security 8 requirements

V6.4 - Authentication Factor Lifecycle and Recovery 6 requirements

V6.5 - General Multi-factor authentication requirements 8 requirements

V6.6 - Out-of-Band authentication mechanisms 4 requirements

V6.7 - Cryptographic authentication mechanism 2 requirements

V6.8 - Authentication with and Identity Provider 4 requirements

V7.1 - Session Management Documentation 3 requirements

V7.2 - Fundamental Session Management Security 4 requirements

V7.3 - Session Timeout 2 requirements

V7.4 - Session Termination 5 requirements

V7.5 - Defenses Against Session Abuse 3 requirements

V7.6 - Federated Re-authentication 2 requirements

V8.1 - Authorization Documentation 4 requirements

V8.2 - General Authorization Design 4 requirements

V8.3 - Operation Level Authorization 3 requirements

V8.4 - Other Authorization Considerations 2 requirements

V9.1 - Token source and integrity 3 requirements

V9.2 - Token content 4 requirements

V10.1 - Generic OAuth and OIDC Security 2 requirements

V10.2 - OAuth Client 3 requirements

V10.3 - OAuth Resource Server 5 requirements

V10.4 - OAuth Authorization Server 16 requirements

V10.5 - OIDC Client 5 requirements

V10.6 - OpenID Provider 2 requirements

V10.7 - Consent Management 3 requirements

V11.1 - Cryptographic Inventory and Documentation 4 requirements

V11.2 - Secure Cryptography Implementation 5 requirements

V11.3 - Encryption Algorithms 5 requirements

V11.4 - Hashing and Hash-based Functions 4 requirements

V11.5 - Random Values 2 requirements

V11.6 - Public Key Cryptography 2 requirements

V11.7 - In-Use Data Cryptography 2 requirements

V12.1 - General TLS Security Guidance 5 requirements

V12.2 - HTTPS Communication with External Facing Services 2 requirements

V12.3 - General Service to Service Communication Security 5 requirements

V13.1 - Configuration Documentation 4 requirements

V13.2 - Backend Communication Configuration 6 requirements

V13.3 - Secret Management 4 requirements

V13.4 - Unintended Information Leakage 7 requirements

V14.1 - Data Protection Documentation 2 requirements

V14.2 - General Data Protection 8 requirements

V14.3 - Client-side Data Protection 3 requirements

V15.1 - Secure Coding and Architecture Documentation 5 requirements

V15.2 - Security Architecture and Dependencies 5 requirements

V15.3 - Defensive Coding 7 requirements

V15.4 - Safe Concurrency 4 requirements

V16.1 - Security Logging Documentation 1 requirements

V16.2 - General Logging 5 requirements

V16.3 - Security Events 4 requirements

V16.4 - Log Protection 3 requirements

V16.5 - Error Handling 4 requirements

V17.1 - TURN Server 2 requirements

V17.2 - Media 8 requirements

V17.3 - Signaling 2 requirements