prep

2025-02-07 11:21:13 +08:00
parent d6f607590b
commit f296cd0108
3 changed files with 108 additions and 18 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -38,6 +38,8 @@ bld/
 # Uncomment if you have tasks that create the project's static files in wwwroot
 #wwwroot/

+.idea/
+
 # Visual Studio 2017 auto generated files
 Generated\ Files/

@@ -361,3 +363,5 @@ MigrationBackup/

 # Fody - auto-generated XML schema
 FodyWeavers.xsd
+
+appsettings.Developmment.json
--- a/AceJobAgency/appsettings.Development.json
+++ b/AceJobAgency/appsettings.Development.json
@@ -1,16 +0,0 @@
-{
-  "ConnectionStrings": {
-    "DefaultConnection": "server=mommy;port=3306;database=ACE_JOB_AGENCY;user=mommy;password=mysql"
-  },
-  "Authentication": {
-    "Secret": "b8bc713a-d8d1-4d37-911e-1bb934d70ba5",
-    "TokenExpiresDays": 30
-  },
-  "Logging": {
-    "LogLevel": {
-      "Default": "Information",
-      "Microsoft.AspNetCore": "Warning"
-    }
-  },
-  "AllowedHosts": "*"
-}
--- a/README.md
+++ b/README.md
@@ -1 +1,103 @@
-# AceJobAgency
+# Web Application Security Checklist
+
+> EZYSoft is a software developer company helping companies to transform their traditional business model to online presence. Several companies have engaged EZYSoft service to help develop a secure website based on their initial requirements.
+>
+> The various companies are organized by module-groups and have different project requirements. You are to develop the initial website features based on module-group. Below are there the application requirements for Registration and Authentication. For registration, it is preferred the user’s email address is being used for the authentication.
+>
+> You are tasked to create a **.Net Core Web Application** from scratch by implementing the recommended security features highlighted in the table shown below.
+>
+> For Registration and displaying info on your homepage, please taker reference from the table below.
+
+
+
+**Company Name:** Ace Job Agency (Membership Service)
+
+Membership Registration Form should consist of the following input fields:
+
+- First Name
+- Last Name
+- Gender
+- NRIC (Must be encrypted)
+- Email address (Must be unique)
+- Password
+- Confirm Password
+- Date of Birth
+- Resume
+- Who Am I (allow all special chars)
+
+## Registration and User Data Management
+
+- [ ] Implement successful saving of member info into the database
+- [ ] Check for duplicate email addresses and handle appropriately
+- [ ] Implement strong password requirements:
+  - [ ] Minimum 12 characters
+  - [ ] Combination of lowercase, uppercase, numbers, and special characters
+  - [ ] Provide feedback on password strength
+  - [ ] Implement both client-side and server-side password checks
+- [ ] Encrypt sensitive user data in the database (e.g., NRIC, credit card numbers)
+- [ ] Implement proper password hashing and storage
+- [ ] Implement file upload restrictions (e.g., .docx, .pdf, or .jpg only)
+
+## Session Management
+
+- [ ] Create a secure session upon successful login
+- [ ] Implement session timeout
+- [ ] Route to homepage/login page after session timeout
+- [ ] Detect and handle multiple logins from different devices/browser tabs
+
+## Login/Logout Security
+
+- [ ] Implement proper login functionality
+- [ ] Implement rate limiting (e.g., account lockout after 3 failed login attempts)
+- [ ] Perform proper and safe logout (clear session and redirect to login page)
+- [ ] Implement audit logging (save user activities in the database)
+- [ ] Redirect to homepage after successful login, displaying user info
+
+## Anti-Bot Protection
+
+- [ ] Implement Google reCAPTCHA v3 service
+
+## Input Validation and Sanitization
+
+- [ ] Prevent injection attacks (e.g., SQL injection)
+- [ ] Implement Cross-Site Request Forgery (CSRF) protection
+- [ ] Prevent Cross-Site Scripting (XSS) attacks
+- [ ] Perform proper input sanitization, validation, and verification for all user inputs
+- [ ] Implement both client-side and server-side input validation
+- [ ] Display error or warning messages for improper input
+- [ ] Perform proper encoding before saving data into the database
+
+## Error Handling
+
+- [ ] Implement graceful error handling on all pages
+- [ ] Create and display custom error pages (e.g., 404, 403)
+
+## Software Testing and Security Analysis
+
+- [ ] Perform source code analysis using external tools (e.g., GitHub)
+- [ ] Address security vulnerabilities identified in the source code
+
+## Advanced Security Features
+
+- [ ] Implement automatic account recovery after lockout period
+- [ ] Enforce password history (avoid password reuse, max 2 password history)
+- [ ] Implement change password functionality
+- [ ] Implement reset password functionality (using email link or SMS)
+- [ ] Enforce minimum and maximum password age policies
+- [ ] Implement Two-Factor Authentication (2FA)
+
+## General Security Best Practices
+
+- [ ] Use HTTPS for all communications
+- [ ] Implement proper access controls and authorization
+- [ ] Keep all software and dependencies up to date
+- [ ] Follow secure coding practices
+- [ ] Regularly backup and securely store user data
+- [ ] Implement logging and monitoring for security events
+
+## Documentation and Reporting
+
+- [ ] Prepare a report on implemented security features
+- [ ] Complete and submit the security checklist
+
+Remember to test each security feature thoroughly and ensure they work as expected in your web application.