OWASP ASVS 5.0 Explorer
Learn the whole Application Security Verification Standard in plain English. See what each chapter checks, why it matters, and how to meet it.
The three ASVS levels
The minimum protection every application should have. These controls stop common, opportunistic attacks and can mostly be checked from the outside.
The recommended default for most applications, especially any that handle personal or business data. This is where most teams should aim.
The highest assurance, for critical systems such as finance, health, and safety, where a breach causes serious harm.
๐งน V1 Encoding and Sanitization 30 reqs
Stops injection by encoding output and cleaning untrusted input before it is used.
Most injection attacks, including cross site scripting and SQL injection, happen when untrusted data is treated as code. This chapter makes sure data stays data.
- Encode output for the right context, so user input is shown as text and never runs as code.
- Use parameterized queries so input cannot change the meaning of a database query.
- Sanitize or reject unsafe input, and handle deserialization of untrusted data with care.
โ๏ธ V2 Validation and Business Logic 13 reqs
Checks that input is valid and that business rules cannot be abused or automated.
Attackers break workflows by sending unexpected values or by repeating actions at machine speed. Validation and anti automation controls keep your logic safe.
- Validate input against a strict schema of what you expect, on the server.
- Enforce business rules in order, so steps cannot be skipped or replayed.
- Add anti automation limits so bots cannot abuse sensitive actions.
๐ฅ๏ธ V3 Web Frontend Security 31 reqs
Protects the browser side of your app with secure cookies, headers, and a strong Content Security Policy.
The browser runs your code next to untrusted content. Cookie flags, security headers, and origin rules decide how much damage a frontend flaw can cause.
- Set a Content Security Policy to limit which scripts can run.
- Set HttpOnly, Secure, and SameSite on session cookies.
- Send browser security headers and keep origins separated.
๐ V4 API and Web Service 16 reqs
Secures REST, GraphQL, and WebSocket APIs against abuse and malformed requests.
APIs are a direct path to your data. They need authentication, input checks, and limits just like any page, plus protection for their specific protocols.
- Authenticate and authorize every API call, and never trust the client.
- Validate the structure of each request and reject malformed messages.
- Apply rate limits and add specific rules for GraphQL and WebSocket.
๐ V5 File Handling 13 reqs
Handles uploads, storage, and downloads so files cannot be used to attack your app.
Uploaded files can carry malware, overwrite data, or run as code. Safe handling of upload, storage, and download closes these paths.
- Check file type and size, and store uploads outside the web root.
- Give stored files safe names and never run them as code.
- Control downloads so users cannot reach files they should not.
๐ V6 Authentication 47 reqs
Proves who a user is with strong passwords, multifactor authentication, and safe recovery.
Authentication is the front door of your app. Weak passwords, missing multifactor, and unsafe recovery let attackers in with stolen or guessed credentials.
- Block breached and weak passwords, and do not limit password length or characters unfairly.
- Offer multifactor authentication and protect the account recovery flow.
- Rate limit and lock out repeated failed logins to stop brute force and credential stuffing.
๐ชช V7 Session Management 19 reqs
Keeps a user logged in safely with strong session ids, timeouts, and clean logout.
A session id is a temporary key to an account. If it is weak, never expires, or is not destroyed on logout, attackers can take over sessions.
- Generate long random session ids and regenerate them on login.
- Set idle and absolute timeouts, and end the session on the server at logout.
- Defend against session abuse such as fixation and reuse.
๐ฆ V8 Authorization 13 reqs
Makes sure users can only do and see what they are allowed to.
Authentication proves who you are. Authorization decides what you may do. Missing checks lead to broken access control, the top risk in the OWASP Top 10.
- Check permissions on the server for every action, not only in the interface.
- Follow least privilege, so each user and service gets the minimum access it needs.
- Enforce authorization at the operation and data level, not just the page.
๐ซ V9 Self-contained Tokens 7 reqs
Secures tokens such as JWTs so they cannot be forged or misused.
Self contained tokens carry their own trust. If they are signed weakly, never checked, or hold secrets, attackers can forge access or read sensitive data.
- Verify the signature and reject the none algorithm and any unexpected algorithm.
- Check issuer, audience, expiry, and purpose on every token.
- Never store secrets in a token payload, since it is only encoded, not encrypted.
๐ค V10 OAuth and OIDC 36 reqs
Secures delegated login and access with OAuth 2.0 and OpenID Connect.
OAuth and OpenID Connect power social login and third party access. Small mistakes in flows, redirects, or token handling can expose whole accounts.
- Use the authorization code flow with PKCE and validate redirect uris strictly.
- Validate tokens and the state parameter to stop forgery and mix up attacks.
- Manage consent and scopes carefully on both client and server.
๐ V11 Cryptography 24 reqs
Uses strong, current cryptography for hashing, encryption, and random values.
Weak or misused cryptography exposes passwords and data. This chapter covers safe algorithms, correct password hashing, and secure random values.
- Hash passwords with bcrypt, scrypt, or Argon2, never with plain SHA or MD5.
- Use strong, current encryption algorithms and manage keys safely.
- Generate random values with a cryptographically secure source.
๐ V12 Secure Communication 12 reqs
Encrypts data in transit with correct TLS everywhere.
Without strong TLS, attackers can read or change traffic. This chapter covers HTTPS for public services and encryption for internal service calls.
- Serve all traffic over HTTPS and enable HSTS.
- Use current TLS versions and strong settings, and disable old ones.
- Encrypt service to service traffic inside your network too.
โ๏ธ V13 Configuration 21 reqs
Keeps secrets, dependencies, and defaults safe in every environment.
Insecure defaults, leaked secrets, and noisy errors give attackers easy wins. Good configuration removes them before release.
- Store secrets in a secret manager, never in code or version control.
- Remove default accounts, debug modes, and verbose errors in production.
- Keep dependencies current and configure backend communication safely.
๐ก๏ธ V14 Data Protection 13 reqs
Protects sensitive data at rest, in the client, and through its full life.
Sensitive data needs care wherever it lives. This chapter limits caching, controls client storage, and reduces how much data you keep.
- Classify sensitive data and limit how long you keep it.
- Control client side storage and caching of sensitive values.
- Apply protection based on how sensitive each field is.
๐๏ธ V15 Secure Coding and Architecture 21 reqs
Builds security into design, dependencies, and safe coding practices.
Many flaws come from design choices and unsafe code patterns. Threat modeling, safe dependencies, and defensive coding prevent them early.
- Threat model your design to find risks before you build.
- Track dependencies and remove unsafe or unused ones.
- Write defensive code and handle concurrency safely.
๐ V16 Security Logging and Error Handling 17 reqs
Records security events safely and fails without leaking details.
Without good logs you cannot detect or investigate attacks. Poor error handling can leak secrets. This chapter balances both.
- Log security events such as logins, failures, and access changes.
- Protect logs from tampering and never log secrets or sensitive data.
- Return generic errors to users and keep the detail in server logs.
๐น V17 WebRTC 12 reqs
Secures real time audio, video, and data channels in the browser.
WebRTC powers calls and live data in the browser. Its TURN servers, media, and signaling each need protection against abuse and interception.
- Secure and authenticate TURN servers to stop relay abuse.
- Encrypt media and protect the signaling channel.
- Validate signaling messages to prevent hijacking.
Based on the OWASP Application Security Verification Standard 5.0, licensed under CC BY SA. This explorer is a plain English learning aid, not the official standard.