From f296cd0108fd5826ae413de0080b6608d61ab428 Mon Sep 17 00:00:00 2001 From: Wind-Explorer Date: Fri, 7 Feb 2025 11:21:13 +0800 Subject: [PATCH] prep --- .gitignore | 6 +- AceJobAgency/appsettings.Development.json | 16 ---- README.md | 104 +++++++++++++++++++++- 3 files changed, 108 insertions(+), 18 deletions(-) delete mode 100644 AceJobAgency/appsettings.Development.json diff --git a/.gitignore b/.gitignore index 9491a2f..bca3a83 100644 --- a/.gitignore +++ b/.gitignore @@ -38,6 +38,8 @@ bld/ # Uncomment if you have tasks that create the project's static files in wwwroot #wwwroot/ +.idea/ + # Visual Studio 2017 auto generated files Generated\ Files/ @@ -360,4 +362,6 @@ MigrationBackup/ .ionide/ # Fody - auto-generated XML schema -FodyWeavers.xsd \ No newline at end of file +FodyWeavers.xsd + +appsettings.Developmment.json \ No newline at end of file diff --git a/AceJobAgency/appsettings.Development.json b/AceJobAgency/appsettings.Development.json deleted file mode 100644 index 8d2ac24..0000000 --- a/AceJobAgency/appsettings.Development.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "ConnectionStrings": { - "DefaultConnection": "server=mommy;port=3306;database=ACE_JOB_AGENCY;user=mommy;password=mysql" - }, - "Authentication": { - "Secret": "b8bc713a-d8d1-4d37-911e-1bb934d70ba5", - "TokenExpiresDays": 30 - }, - "Logging": { - "LogLevel": { - "Default": "Information", - "Microsoft.AspNetCore": "Warning" - } - }, - "AllowedHosts": "*" -} diff --git a/README.md b/README.md index 12a05ab..7ed0572 100644 --- a/README.md +++ b/README.md @@ -1 +1,103 @@ -# AceJobAgency \ No newline at end of file +# Web Application Security Checklist + +> EZYSoft is a software developer company helping companies to transform their traditional business model to online presence. Several companies have engaged EZYSoft service to help develop a secure website based on their initial requirements. +> +> The various companies are organized by module-groups and have different project requirements. You are to develop the initial website features based on module-group. Below are there the application requirements for Registration and Authentication. For registration, it is preferred the user’s email address is being used for the authentication. +> +> You are tasked to create a **.Net Core Web Application** from scratch by implementing the recommended security features highlighted in the table shown below. +> +> For Registration and displaying info on your homepage, please taker reference from the table below. + + + +**Company Name:** Ace Job Agency (Membership Service) + +Membership Registration Form should consist of the following input fields: + +- First Name +- Last Name +- Gender +- NRIC (Must be encrypted) +- Email address (Must be unique) +- Password +- Confirm Password +- Date of Birth +- Resume +- Who Am I (allow all special chars) + +## Registration and User Data Management + +- [ ] Implement successful saving of member info into the database +- [ ] Check for duplicate email addresses and handle appropriately +- [ ] Implement strong password requirements: + - [ ] Minimum 12 characters + - [ ] Combination of lowercase, uppercase, numbers, and special characters + - [ ] Provide feedback on password strength + - [ ] Implement both client-side and server-side password checks +- [ ] Encrypt sensitive user data in the database (e.g., NRIC, credit card numbers) +- [ ] Implement proper password hashing and storage +- [ ] Implement file upload restrictions (e.g., .docx, .pdf, or .jpg only) + +## Session Management + +- [ ] Create a secure session upon successful login +- [ ] Implement session timeout +- [ ] Route to homepage/login page after session timeout +- [ ] Detect and handle multiple logins from different devices/browser tabs + +## Login/Logout Security + +- [ ] Implement proper login functionality +- [ ] Implement rate limiting (e.g., account lockout after 3 failed login attempts) +- [ ] Perform proper and safe logout (clear session and redirect to login page) +- [ ] Implement audit logging (save user activities in the database) +- [ ] Redirect to homepage after successful login, displaying user info + +## Anti-Bot Protection + +- [ ] Implement Google reCAPTCHA v3 service + +## Input Validation and Sanitization + +- [ ] Prevent injection attacks (e.g., SQL injection) +- [ ] Implement Cross-Site Request Forgery (CSRF) protection +- [ ] Prevent Cross-Site Scripting (XSS) attacks +- [ ] Perform proper input sanitization, validation, and verification for all user inputs +- [ ] Implement both client-side and server-side input validation +- [ ] Display error or warning messages for improper input +- [ ] Perform proper encoding before saving data into the database + +## Error Handling + +- [ ] Implement graceful error handling on all pages +- [ ] Create and display custom error pages (e.g., 404, 403) + +## Software Testing and Security Analysis + +- [ ] Perform source code analysis using external tools (e.g., GitHub) +- [ ] Address security vulnerabilities identified in the source code + +## Advanced Security Features + +- [ ] Implement automatic account recovery after lockout period +- [ ] Enforce password history (avoid password reuse, max 2 password history) +- [ ] Implement change password functionality +- [ ] Implement reset password functionality (using email link or SMS) +- [ ] Enforce minimum and maximum password age policies +- [ ] Implement Two-Factor Authentication (2FA) + +## General Security Best Practices + +- [ ] Use HTTPS for all communications +- [ ] Implement proper access controls and authorization +- [ ] Keep all software and dependencies up to date +- [ ] Follow secure coding practices +- [ ] Regularly backup and securely store user data +- [ ] Implement logging and monitoring for security events + +## Documentation and Reporting + +- [ ] Prepare a report on implemented security features +- [ ] Complete and submit the security checklist + +Remember to test each security feature thoroughly and ensure they work as expected in your web application.