wind-explorer/AceJobAgency
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

prep

Browse Source
This commit is contained in:
Adam C
2025-02-07 11:21:13 +08:00
parent d6f607590b
commit f296cd0108
3 changed files with 108 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.gitignore vendored
View File

@@ -38,6 +38,8 @@ bld/
# Uncomment if you have tasks that create the project's static files in wwwroot # Uncomment if you have tasks that create the project's static files in wwwroot
#wwwroot/ #wwwroot/
.idea/
# Visual Studio 2017 auto generated files # Visual Studio 2017 auto generated files
Generated\ Files/ Generated\ Files/
@@ -360,4 +362,6 @@ MigrationBackup/
.ionide/ .ionide/
# Fody - auto-generated XML schema # Fody - auto-generated XML schema
FodyWeavers.xsd FodyWeavers.xsd
appsettings.Developmment.json

16
AceJobAgency/appsettings.Development.json
View File

@@ -1,16 +0,0 @@
{
"ConnectionStrings": {
"DefaultConnection": "server=mommy;port=3306;database=ACE_JOB_AGENCY;user=mommy;password=mysql"
},
"Authentication": {
"Secret": "b8bc713a-d8d1-4d37-911e-1bb934d70ba5",
"TokenExpiresDays": 30
},
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
}

104
README.md
View File

@@ -1 +1,103 @@
# AceJobAgency # Web Application Security Checklist
> EZYSoft is a software developer company helping companies to transform their traditional business model to online presence. Several companies have engaged EZYSoft service to help develop a secure website based on their initial requirements.
>
> The various companies are organized by module-groups and have different project requirements. You are to develop the initial website features based on module-group. Below are there the application requirements for Registration and Authentication. For registration, it is preferred the users email address is being used for the authentication.
>
> You are tasked to create a **.Net Core Web Application** from scratch by implementing the recommended security features highlighted in the table shown below.
>
> For Registration and displaying info on your homepage, please taker reference from the table below.
**Company Name:** Ace Job Agency (Membership Service)
Membership Registration Form should consist of the following input fields:
- First Name
- Last Name
- Gender
- NRIC (Must be encrypted)
- Email address (Must be unique)
- Password
- Confirm Password
- Date of Birth
- Resume
- Who Am I (allow all special chars)
## Registration and User Data Management
- [ ] Implement successful saving of member info into the database
- [ ] Check for duplicate email addresses and handle appropriately
- [ ] Implement strong password requirements:
- [ ] Minimum 12 characters
- [ ] Combination of lowercase, uppercase, numbers, and special characters
- [ ] Provide feedback on password strength
- [ ] Implement both client-side and server-side password checks
- [ ] Encrypt sensitive user data in the database (e.g., NRIC, credit card numbers)
- [ ] Implement proper password hashing and storage
- [ ] Implement file upload restrictions (e.g., .docx, .pdf, or .jpg only)
## Session Management
- [ ] Create a secure session upon successful login
- [ ] Implement session timeout
- [ ] Route to homepage/login page after session timeout
- [ ] Detect and handle multiple logins from different devices/browser tabs
## Login/Logout Security
- [ ] Implement proper login functionality
- [ ] Implement rate limiting (e.g., account lockout after 3 failed login attempts)
- [ ] Perform proper and safe logout (clear session and redirect to login page)
- [ ] Implement audit logging (save user activities in the database)
- [ ] Redirect to homepage after successful login, displaying user info
## Anti-Bot Protection
- [ ] Implement Google reCAPTCHA v3 service
## Input Validation and Sanitization
- [ ] Prevent injection attacks (e.g., SQL injection)
- [ ] Implement Cross-Site Request Forgery (CSRF) protection
- [ ] Prevent Cross-Site Scripting (XSS) attacks
- [ ] Perform proper input sanitization, validation, and verification for all user inputs
- [ ] Implement both client-side and server-side input validation
- [ ] Display error or warning messages for improper input
- [ ] Perform proper encoding before saving data into the database
## Error Handling
- [ ] Implement graceful error handling on all pages
- [ ] Create and display custom error pages (e.g., 404, 403)
## Software Testing and Security Analysis
- [ ] Perform source code analysis using external tools (e.g., GitHub)
- [ ] Address security vulnerabilities identified in the source code
## Advanced Security Features
- [ ] Implement automatic account recovery after lockout period
- [ ] Enforce password history (avoid password reuse, max 2 password history)
- [ ] Implement change password functionality
- [ ] Implement reset password functionality (using email link or SMS)
- [ ] Enforce minimum and maximum password age policies
- [ ] Implement Two-Factor Authentication (2FA)
## General Security Best Practices
- [ ] Use HTTPS for all communications
- [ ] Implement proper access controls and authorization
- [ ] Keep all software and dependencies up to date
- [ ] Follow secure coding practices
- [ ] Regularly backup and securely store user data
- [ ] Implement logging and monitoring for security events
## Documentation and Reporting
- [ ] Prepare a report on implemented security features
- [ ] Complete and submit the security checklist
Remember to test each security feature thoroughly and ensure they work as expected in your web application.