OWASP ASVS 5.0 requirements database for security audits. Provides chapter structure, control objectives, and verification requirements for all 17 ASVS domains.
Structured access to OWASP Application Security Verification Standard (ASVS) 5.0 requirements for security auditing.
| Level | Name | Applicability | Depth |
|---|---|---|---|
| L1 | Opportunistic | All applications | Minimum baseline |
| L2 | Standard | Most applications | Recommended |
| L3 | Advanced | High-value/critical apps | Maximum rigor |
Mapping to Audit Modes:
| Chapter | Name | Requirements | Primary Focus |
|---|---|---|---|
| V1 | Encoding & Sanitization | 28 | Injection prevention |
| V2 | Validation & Business Logic | 15 | Input validation |
| V3 | Web Frontend Security | 32 | Browser security |
| V4 | API & Web Service | 17 | API security |
| V5 | File Handling | 14 | File security |
| V6 | Authentication | 44 | Identity verification |
| V7 | Session Management | 18 | Session security |
| V8 | Authorization | 11 | Access control |
| V9 | Self-contained Tokens | 7 | JWT security |
| V10 | OAuth & OIDC | 50 | OAuth/OIDC security |
| V11 | Cryptography | 32 | Crypto implementation |
| V12 | Secure Communications | 13 | TLS/transport |
| V13 | Configuration | 18 | Secure config |
| V14 | Data Protection | 15 | Data handling |
| V15 | Secure Coding | 20 | Code quality |
| V16 | Security Logging | 19 | Audit logging |
| V17 | WebRTC | 15 | WebRTC security |
| Total | 369 |
Ensure the application correctly encodes and decodes data to prevent injection attacks.
| ID | Level | Requirement |
|---|---|---|
| V1.2.1 | L1 | Parameterized queries for all database operations |
| V1.2.2 | L1 | No string concatenation for SQL/NoSQL commands |
| V1.2.3 | L1 | OS command injection prevention |
| V1.3.1 | L1 | HTML output encoding |
| V1.5.1 | L1 | No unsafe deserialization (use JSON) |
"SELECT * FROM " + tableEnsure input validation enforces business expectations and prevents logic bypass.
| ID | Level | Requirement |
|---|---|---|
| V2.2.1 | L1 | Server-side validation for all inputs |
| V2.2.2 | L1 | Allowlist validation preferred |
| V2.3.1 | L1 | Sequential step enforcement |
| V2.4.1 | L2 | Rate limiting on sensitive ops |
if (form.valid) without server checkProtect browsers against common web attacks through proper headers and configurations.
| ID | Level | Requirement |
|---|---|---|
| V3.3.1 | L1 | Cookies: Secure, HttpOnly, SameSite |
| V3.4.1 | L1 | Content-Security-Policy header |
| V3.4.2 | L1 | X-Content-Type-Options: nosniff |
| V3.4.3 | L1 | Strict-Transport-Security (HSTS) |
| V3.6.1 | L2 | Subresource integrity for CDN scripts |
Ensure API endpoints are secure against common attack patterns.
| ID | Level | Requirement |
|---|---|---|
| V4.1.1 | L1 | Content-Type header validation |
| V4.2.1 | L2 | HTTP request smuggling prevention |
| V4.3.1 | L2 | GraphQL query depth limiting |
| V4.3.2 | L2 | GraphQL introspection disabled in prod |
| V4.4.1 | L2 | WebSocket authentication |
introspectionQuery enabledHandle files securely throughout upload, storage, and download lifecycle.
| ID | Level | Requirement |
|---|---|---|
| V5.2.1 | L1 | File extension validation |
| V5.2.2 | L1 | Content-type validation |
| V5.2.3 | L1 | Upload size limits |
| V5.3.1 | L1 | Uploads cannot run as code |
| V5.4.1 | L1 | Path traversal prevention |
../ in filenames not sanitizedEnsure robust authentication mechanisms protect user accounts.
| ID | Level | Requirement |
|---|---|---|
| V6.2.1 | L1 | Minimum 8 character passwords |
| V6.2.2 | L1 | 64+ character max allowed |
| V6.2.3 | L1 | Password breach checking |
| V6.2.4 | L1 | Secure hashing (bcrypt/argon2) |
| V6.3.1 | L1 | Account lockout after failures |
| V6.5.1 | L2 | MFA for sensitive operations |
Ensure session tokens are generated, managed, and invalidated securely.
| ID | Level | Requirement |
|---|---|---|
| V7.2.1 | L1 | Cryptographically random session IDs |
| V7.2.2 | L1 | 128+ bit entropy |
| V7.3.1 | L1 | Session invalidation on logout |
| V7.3.2 | L2 | Absolute session timeout |
| V7.4.1 | L1 | Cookie security attributes |
Ensure access control is enforced at all levels of the application.
| ID | Level | Requirement |
|---|---|---|
| V8.2.1 | L1 | Enforce access control on every request |
| V8.2.2 | L1 | IDOR prevention |
| V8.2.3 | L1 | Principle of least privilege |
| V8.3.1 | L1 | Directory listing disabled |
| V8.3.2 | L1 | Sensitive files not accessible |
Ensure JWT and similar tokens are implemented securely.
| ID | Level | Requirement |
|---|---|---|
| V9.2.1 | L1 | Strong algorithm (RS256/ES256) |
| V9.2.2 | L1 | No "none" algorithm |
| V9.3.1 | L1 | Signature verification |
| V9.3.2 | L1 | Expiration (exp) validation |
| V9.3.3 | L2 | Issuer (iss) validation |
alg: "none" acceptedexp claimEnsure OAuth 2.0 and OpenID Connect implementations follow security best practices.
| ID | Level | Requirement |
|---|---|---|
| V10.2.1 | L1 | PKCE for public clients |
| V10.2.2 | L1 | State parameter validation |
| V10.2.3 | L1 | No credentials in URLs |
| V10.3.1 | L1 | Redirect URI validation |
| V10.5.1 | L2 | ID token validation |
Ensure cryptographic implementations use secure algorithms and configurations.
| ID | Level | Requirement |
|---|---|---|
| V11.2.1 | L1 | Keys not in source code |
| V11.3.1 | L1 | CSPRNG for security-sensitive values |
| V11.4.1 | L2 | AES-GCM or ChaCha20-Poly1305 |
| V11.5.1 | L1 | SHA-256+ for hashing |
| V11.5.2 | L2 | No MD5/SHA1 |
secretKey = "..." in codeMath.random() for tokensEnsure all communications use secure transport layer protocols.
| ID | Level | Requirement |
|---|---|---|
| V12.2.1 | L1 | TLS 1.2+ only |
| V12.2.2 | L1 | Strong cipher suites |
| V12.2.3 | L2 | Certificate pinning for mobile |
| V12.3.1 | L1 | Certificate validation enabled |
| V12.3.2 | L1 | No self-signed certs in prod |
verify=False, NODE_TLS_REJECT_UNAUTHORIZED=0Ensure secure default configurations and proper secrets management.
| ID | Level | Requirement |
|---|---|---|
| V13.2.1 | L1 | Debug disabled in production |
| V13.2.2 | L1 | Error details not exposed |
| V13.3.1 | L1 | Secrets not in version control |
| V13.3.2 | L1 | Secrets not in environment vars (prefer vault) |
| V13.4.1 | L2 | Dependency vulnerability scanning |
DEBUG=True in productionEnsure sensitive data is identified, classified, and protected appropriately.
| ID | Level | Requirement |
|---|---|---|
| V14.2.1 | L1 | Sensitive data identified |
| V14.3.1 | L2 | PII encrypted at rest |
| V14.3.2 | L2 | Database encryption |
| V14.4.1 | L1 | Sensitive data over TLS only |
Ensure code follows secure development practices.
| ID | Level | Requirement |
|---|---|---|
| V15.2.1 | L1 | Buffer overflow prevention |
| V15.3.1 | L1 | No unreachable code |
| V15.3.2 | L2 | Static analysis in CI |
| V15.4.1 | L1 | Known vulnerable deps addressed |
Ensure security events are logged with appropriate detail for incident response.
| ID | Level | Requirement |
|---|---|---|
| V16.2.1 | L1 | Authentication events logged |
| V16.2.2 | L1 | Authorization failures logged |
| V16.3.1 | L2 | No sensitive data in logs |
| V16.3.2 | L2 | Log injection prevention |
| V16.4.1 | L1 | Generic error messages to users |
Ensure WebRTC implementations are secure.
| ID | Level | Requirement |
|---|---|---|
| V17.2.1 | L2 | DTLS-SRTP encryption |
| V17.2.2 | L2 | ICE candidate restrictions |
| V17.2.3 | L2 | Signaling channel authentication |
| V17.2.4 | L2 | TURN server authentication |
Use this to select relevant chapters based on project features:
| Project Feature | Primary Chapters | Secondary Chapters |
|---|---|---|
| authentication | V6 | V7, V11 |
| oauth | V10 | V6, V9 |
| file-upload | V5 | V1, V14 |
| api | V4 | V1, V2, V8 |
| graphql | V4 | V8 |
| database | V1, V2 | V14 |
| websockets | V4, V12 | V6 |
| payments | V12, V11 | V6, V14 |
| frontend | V3 | V1 |
| logging | V16 | V14 |
~/projects/claude-secure-coding-rules/Skill: project-context - Detect project features for chapter selectionSkill: vulnerability-patterns - Language-specific vulnerability patternsSkill: remediation-library - Fix patterns for findings