# OWASP ASVS 5.0.0 Audit Checklist
# Aligned to official ASVS 5.0.0 chapters V1-V17

name: OWASP ASVS 5.0.0 Audit Checklist
version: "5.0.0"

categories:
  - id: V1
    name: Encoding and Sanitization
    checks:
      - Output encoding is context-aware (HTML/JS/CSS/URL/header contexts)
      - Canonicalization and sanitization are applied consistently before use
      - Untrusted data is never rendered in executable contexts without protection

  - id: V2
    name: Validation and Business Logic
    checks:
      - All trust-boundary inputs are validated for type, length, range, and format
      - Business-rule abuse cases are tested (limits, sequencing, replay, fraud flows)
      - Invalid or unexpected input is rejected with safe error behavior

  - id: V3
    name: Web Frontend Security
    checks:
      - Browser-side controls are configured (CSP, framing, MIME sniffing protection)
      - Client-side storage avoids sensitive data or protects it appropriately
      - Frontend routes and state-changing actions enforce anti-abuse controls

  - id: V4
    name: API and Web Service
    checks:
      - API endpoints enforce authentication and authorization server-side
      - Request payloads and parameters are schema-validated
      - API responses avoid leaking internal implementation details

  - id: V5
    name: File Handling
    checks:
      - File upload/download is restricted by type, size, and content validation
      - File paths are canonicalized and protected against traversal
      - Uploaded files are stored outside executable/public paths by default

  - id: V6
    name: Authentication
    checks:
      - Authentication uses proven mechanisms and secure credential flows
      - Default credentials and weak authentication factors are disallowed
      - MFA is enforced where required by risk level

  - id: V7
    name: Session Management
    checks:
      - Session identifiers are unpredictable and protected in transit/storage
      - Session rotation/invalidation is enforced on auth state changes
      - Idle and absolute session timeouts are implemented

  - id: V8
    name: Authorization
    checks:
      - Authorization is evaluated on every request for every protected resource
      - Access control follows deny-by-default and least privilege
      - Object-level authorization controls prevent IDOR-style attacks

  - id: V9
    name: Self-contained Tokens
    checks:
      - Token signature, issuer, audience, and expiration are validated
      - Token scope/claims are enforced server-side before sensitive actions
      - Token revocation and rotation strategies exist for compromise scenarios

  - id: V10
    name: OAuth and OIDC
    checks:
      - OAuth/OIDC flows use secure grant types and validated redirect URIs
      - PKCE, nonce/state, and CSRF protections are enabled where applicable
      - Tokens from identity providers are validated before trust is granted

  - id: V11
    name: Cryptography
    checks:
      - Only approved, modern cryptographic algorithms and modes are used
      - Keys, secrets, and certificates are managed with lifecycle controls
      - Deprecated algorithms and insecure configurations are prohibited

  - id: V12
    name: Secure Communication
    checks:
      - TLS is enforced for external and sensitive internal communications
      - Certificate validation is enabled without insecure bypasses
      - Transport security settings prevent downgrade and weak cipher usage

  - id: V13
    name: Configuration
    checks:
      - Production runs with secure defaults and hardened configuration
      - Security headers and platform hardening settings are enforced
      - Dependency and runtime security configuration is reviewed regularly

  - id: V14
    name: Data Protection
    checks:
      - Sensitive data is classified and protected at rest and in transit
      - Data minimization and retention limits are enforced
      - Sensitive data is excluded from logs, URLs, and unnecessary replication

  - id: V15
    name: Secure Coding and Architecture
    checks:
      - Threat modeling is maintained for new features and trust boundaries
      - Secure coding practices are enforced during implementation and review
      - Architecture decisions include security tradeoff analysis

  - id: V16
    name: Security Logging and Error Handling
    checks:
      - Security-relevant events are logged with timestamp and correlation metadata
      - Errors returned to users are generic and do not leak sensitive internals
      - Logging pipelines protect integrity and confidentiality of audit data

  - id: V17
    name: WebRTC
    checks:
      - WebRTC media/signaling channels are authenticated and access-controlled
      - ICE/STUN/TURN configuration avoids unnecessary network exposure
      - WebRTC is disabled or restricted when not explicitly required