9. Passwords
• Store it using a strong salted hash
• Bcrypt
• Never send it by e-mail or store it in plain text
• Protect user creation/password recovery forms with
captcha
• Recaptcha when possible
• JCaptcha second choice
15. Never trust content from the
client
• Never use file names from uploads
• Use UUID as filename when saving to the hard
drive
• Put a file size limit
• Endless uploads can crash the server
• Validations made on Javascript should be done
again in the server
18. Hide the stack traces
• Evil user can discover:
• Frameworks/versions
• Paths
• Pieces of code/details of implementation
• Solution:
• Spring MVC @ControllerAdvice @ExceptionHandler
• Web.xml error-page
20. Test
• OWASP ZAP
• Automated testing
• Every error found is important
• Use the proxy in every functionality
• Can be integrated to the Continuous Integration
• Evil user in the scenarios
• Automate it too!