CheatSheetSeries

The OWASP Cheat Sheet Series is a comprehensive, community-driven repository of concise security best practices and defensive coding patterns. It serves as a centralized knowledge base for developers and security professionals, providing actionable guidance to secure applications across the entire software development lifecycle. The project covers a vast array of security domains, ranging from fundamental web application hardening and authentication protocols to specialized controls for modern infrastructure and artificial intelligence systems.

What distinguishes this project is its decentralized, collaborative editorial process. By utilizing a version-controlled, markdown-based workflow, the series ensures that security guidance remains vendor-neutral, peer-reviewed, and universally accessible. This structure allows the community to rapidly evolve and maintain technical documentation, ensuring that defensive strategies keep pace with emerging threats and shifting technology stacks.

The project provides extensive coverage of critical security areas, including robust input validation, access control enforcement, and supply chain risk management. It offers detailed implementation guides for securing cloud-native architectures, containerized environments, and various language-specific frameworks. Furthermore, the series addresses advanced topics such as artificial intelligence agent safety, prompt injection prevention, and zero-trust architectural principles.

The documentation is maintained as an open-source repository, with content transformed into a navigable web format through automated static site generation.

Features

Security Best Practices - Provides comprehensive security best practices and checklists for developers.
Framework Security Modules - Implements robust access control and data protection settings specifically designed for the framework's security architecture.
Injection Prevention - Sanitizes all user inputs to ensure they cannot be interpreted as commands by backend systems.
LLM Prompt Injection Prevention - Provides input validation and sanitization techniques to prevent attackers from manipulating model behavior through malicious prompts.
Supply Chain Security - Verifies software components and build processes to prevent the introduction of malicious code.
Access Control Policies - Enforces strict access control policies ensuring users only interact with permitted data and functions.
AI Agent Security - Provides security controls for artificial intelligence agents to prevent unauthorized access and malicious manipulation of automated decision-making processes.
Credential Storage - Protects user passwords using strong, salted hashing algorithms to prevent unauthorized access and decryption attempts.
Cross-Site Scripting Prevention - Provides robust sanitization and encoding to prevent malicious script injection.
Multifactor Authentication - Enforces identity verification requiring multiple forms of authentication to reduce the risk of unauthorized account access.
Query Parameterization - Uses prepared statements to separate data from commands, preventing injection attacks.
SQL Injection Prevention - Sanitizes database queries to ensure user input cannot be used to manipulate or extract unauthorized data.
XSS Protections - Sanitizes user-supplied data to prevent malicious script execution in browsers.
Zero Trust Architectures - Implements continuous verification of every request to ensure least-privilege access.
Web Security Hardening - Protects web applications against common vulnerabilities like injection and cross-site scripting.
Pipeline Security - Protects automated build and deployment pipelines from unauthorized access and malicious code injection.
Vulnerability Management - Monitors and updates third-party libraries to ensure known security flaws are addressed.
AI Operations Security - Implements security controls throughout the machine learning model lifecycle to prevent unauthorized access, tampering, and model poisoning.
Configuration Hardening - Implements security-focused configuration hardening for server and language environments to reduce the overall attack surface.
CSRF Protections - Validates state-changing requests to ensure they originate from authorized users.
Data Encryption - Protects sensitive data at rest using strong encryption algorithms.
Deserialization Security - Validates serialized data before processing to prevent arbitrary code execution.
Framework Security Hardening - Framework-specific configurations to defend web applications against common security vulnerabilities and misconfiguration errors.
HTTP Security Headers - Configures security-focused response headers to enforce protective browser policies.
Infrastructure as Code Security - Scans configuration files to protect cloud environments from misconfigurations.
Insecure Direct Object Reference Prevention - Ensures users cannot manipulate identifiers to access objects they are not authorized to view.
Kubernetes Security - Hardens cluster configurations and network policies to prevent unauthorized access.
Multi-Tenant Security - Ensures data and resource isolation between users to prevent cross-tenant leakage.
OAuth2 Implementations - Provides secure authorization flow configuration allowing users to grant limited access to resources without sharing primary credentials.
REST API Security - Implements authentication, authorization, and rate limiting to protect web services.
Service Communication Security - Implements mutual authentication and encryption to secure communication channels between distributed microservices.
Session Management - Provides secure handling of user sessions to prevent hijacking and unauthorized access to protected accounts.
Transport Layer Security - Ensures data confidentiality and integrity during transit between clients and servers.
Secure Development Lifecycles - Implements industry-standard security practices throughout the design, development, and deployment phases.
Supply Chain Security - Identifies and mitigates risks associated with third-party libraries and automated build pipelines.
Input Validation - Enforces strict allow-lists for all incoming data to ensure only expected formats reach application logic.
Application Security - Standardized cheat sheets for application security.
Security References - Comprehensive guides for secure development and testing.
Security Tools - Listed in the “Security Tools” section of the Awesome Hacking awesome list.
Workflow Security - Configures workflow permissions and secrets to prevent unauthorized access to build environments.
Business Logic Security - Hardens critical application workflows to prevent attackers from manipulating core processes.
Cloud Architecture Security - Defines architectural patterns that ensure data protection and resource isolation in cloud environments.
Container Security - Hardens container images and runtime environments to prevent unauthorized access.
Content Security Policies - Defines allowed sources for scripts and styles to prevent malicious injections.
Credential Stuffing Protections - Provides rate limiting and anomaly detection to stop attackers from using stolen credentials to gain unauthorized access.
Cryptographic Key Management - Ensures secure storage and rotation of sensitive keys for encrypted data.
Database Access Control - Enforces least-privilege access controls to protect stored data from unauthorized manipulation.
DOM-based XSS Protections - Sanitizes client-side data handling to prevent malicious script execution in the browser.
HSTS - Enforces encrypted connections for all traffic to prevent eavesdropping and man-in-the-middle attacks.
Identity Verification - Ensures only authorized users gain access to protected application resources and data through robust identity verification mechanisms.
Mass Assignment Prevention - Restricts user input fields to prevent attackers from modifying sensitive data or escalating privileges.
Microservices Security - Applies defense-in-depth principles to ensure individual services remain protected.
Mobile Application Security - Protects mobile data and prevents unauthorized access to device features and sensors.
OS Command Injection Prevention - Sanitizes inputs passed to system commands to prevent unauthorized code execution on the underlying operating system.
Retrieval-Augmented Generation Security - Implements access controls and input validation to prevent unauthorized exposure of sensitive data during the retrieval process.
Secrets Management - Provides secure storage and access for credentials and tokens to prevent unauthorized exposure.
SSRF Protections - Validates server-side requests to ensure they originate from trusted sources.
Threat Modeling - Identifies and prioritizes potential threats to inform the selection of security controls.
Web Service Security - Implements authentication and encryption for web service interfaces to prevent unauthorized access.
Threat Modeling - Designs resilient systems by proactively identifying potential attack vectors and establishing security controls.
Cloud Infrastructure Security - Secures modern infrastructure environments through hardened configuration and architectural best practices.
Package Security - Audits third-party dependencies to prevent the inclusion of malicious code.
Authorization Testing - Provides automated verification of access control logic to ensure permissions remain correctly enforced.
Cookie Security - Enforces secure attributes and storage practices to prevent unauthorized session cookie access.
Cryptographic Implementations - Implements secure cryptographic practices for generating and validating security tokens.
Denial of Service Prevention - Implements resource limits and traffic filtering to ensure application availability during traffic spikes.
File Upload Security - Validates file types and contents to prevent the upload of malicious scripts.
GraphQL Security - Limits query depth and enforces field-level authorization to prevent resource exhaustion.
Identity Management - Configures authentication and authorization services to ensure secure identity management.
Model Context Protocol Security - Ensures safe and authorized interaction between artificial intelligence models and external tools via context protocols.
Password Recovery Workflows - Implements secure workflows for resetting user credentials to prevent account hijacking through weak recovery processes.
Payment Gateway Security - Validates communication patterns for secure payment processing through third-party services.
SAML Integrations - Configures identity exchange protocols to ensure secure authentication and authorization across different domains and service providers.
Serverless Security - Implements security controls for ephemeral serverless execution environments to prevent resource abuse.
User Privacy Protection - Implements data minimization and access controls to ensure user information remains confidential.
WebSocket Security - Secures persistent connections through authentication and input validation to prevent data injection.
XML External Entity Prevention - Disables dangerous features in XML parsers to prevent unauthorized access through external entities.
Build Toolchain Hardening - Configures development and build environments to prevent malicious code injection during the compilation process.
Static Site Generators - Transforms source documentation into a navigable web format during the build process for high performance and accessibility.
Dependency Tracking - Monitors third-party components to identify risks from vulnerable or outdated libraries.
AI-Generated Code Validation - Ensures code generated by artificial intelligence remains free of vulnerabilities and follows safe coding practices.
Application Security Standards - Establishes baseline security requirements for modern software development lifecycles.
Attack Surface Analysis - Maps entry points and exposed interfaces to identify potential vulnerabilities.
Bot Management - Detects and blocks automated malicious traffic while ensuring legitimate user access.
Certificate Pinning - Restricts trusted certificates to prevent man-in-the-middle attacks on encrypted channels.
Drone Communication Security - Implements robust authentication and encryption for drone communication channels to prevent unauthorized control.
gRPC Security - Provides authentication and encryption for remote procedure calls between distributed services.
Language Security Patterns - Enforces strict input validation and secure coding patterns to protect software from vulnerabilities.
Network Segmentation - Provides strategies for isolating network segments to limit lateral movement during security incidents.
NoSQL Security - Implements access controls and query sanitization to prevent unauthorized data access in NoSQL databases.
Prototype Pollution Protections - Validates object property assignments to prevent unauthorized modification of runtime behavior.
Security Logging Management - Records security-relevant events in a structured format to facilitate incident response.
Server Hardening - Hardens server-side execution contexts to prevent common vulnerabilities.
Third-Party Script Security - Restricts external script execution to prevent unauthorized data collection and malicious behavior.
Transaction Authorization - Verifies financial or sensitive actions to prevent unauthorized operations.

OWASP/Top10

5,273View on GitHub

This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in dep

microsoft/Security-101

6,203View on GitHub

Security-101 is a vendor-agnostic, foundational cybersecurity learning curriculum organized into modular, framework-aligned modules. It is designed to build core knowledge across multiple security domains without tying content to specific products or platforms, making it suitable for both beginners and professionals seeking a structured introduction to the field. The curriculum is built around established security frameworks, including the MITRE ATT&CK framework for standardized threat analysis and the NIST Cybersecurity Framework for incident response workflows. It covers a broad range of do

0x4m4/hexstrike-ai

9,617View on GitHub

This project is a comprehensive security platform providing an LLM security orchestration framework, an AI agent firewall, and tools for vulnerability remediation, compliance automation, and endpoint protection. It functions as a centralized system to protect AI models from adversarial exploits while managing the identification and patching of software flaws. The platform distinguishes itself through the coordination of specialized AI agents to automate complex security workflows, including reconnaissance, bug hunting, and exploit development. It implements dedicated guardrails to block promp

nats-io/nats-server

20,076View on GitHub

NATS Server is a high-performance, lightweight messaging system designed for cloud-native applications, edge computing, and distributed microservices. It functions as a distributed publish-subscribe broker that routes messages using hierarchical, dot-separated subject strings, enabling decoupled communication between services without requiring centralized broker lookups. The system supports core messaging patterns including asynchronous publish-subscribe, request-reply, and load-balanced queue processing. The platform distinguishes itself through a decentralized architecture that eliminates t

OWASPCheatSheetSeries

Features