Chapter 8 Quality attributes and sizing of the dXp Security Requirements Security details are detailed in Chapters 6 and 7. The following is a look at prominent security requirements: • Ensure that all private web resources are properly protected. • The system should provide strong password policies: that includes strong passwords, password change frequency, account lockout policies, and such. • Account-related operations such as profile updates, password changes, and registration should provide strong authentication mechanisms (such as reauthentication, multifactor authentication, step-up authentication, adaptive authentication, etc.). • Default admin passwords should not be used at any layer. • Forgot password functionality should send a time-sensitive password reset link instead of sending the password in plain text. • The session should be invalidated after explicit logout or after a specified inactivity period. Session IDs should be sufficiently random, and the application should not permit multiple simultaneous sessions. • Authenticated sessions should use HttpOnly cookies (cookies that are cannot be accessed by client side scripts) and they should use a “secure” attribute and a strict transport security response header that instructs the browsers to access the resources only over HTTPS. • All direct object references that provide the direct handle to internal objects or data blocks should be protected. Authenticated users should only access authorized data and objects. • The filenames or folder names obtained from untrusted sources should be canonicalized (converted into proper file name or folder path) before using them. 218