RestingOwl owl logo RestingOwl

OWASP ASVS 5.0 Explorer

Learn the whole Application Security Verification Standard in plain English. See what each chapter checks, why it matters, and how to meet it.

Quick answer: The OWASP ASVS (Application Security Verification Standard) is an open list of security requirements for web apps and APIs. Version 5.0 has 17 chapters and 345 requirements, grouped into three levels. This explorer turns every chapter into plain English: what it checks, why it matters, and how to meet it.

The three ASVS levels

L1Basic

The minimum protection every application should have. These controls stop common, opportunistic attacks and can mostly be checked from the outside.

L2Standard

The recommended default for most applications, especially any that handle personal or business data. This is where most teams should aim.

L3Advanced

The highest assurance, for critical systems such as finance, health, and safety, where a breach causes serious harm.

Show level:
0 of 0 checks reviewed
๐Ÿงน V1 Encoding and Sanitization 30 reqs

Stops injection by encoding output and cleaning untrusted input before it is used.

Why it matters

Most injection attacks, including cross site scripting and SQL injection, happen when untrusted data is treated as code. This chapter makes sure data stays data.

What it checks
  • Encode output for the right context, so user input is shown as text and never runs as code.
  • Use parameterized queries so input cannot change the meaning of a database query.
  • Sanitize or reject unsafe input, and handle deserialization of untrusted data with care.
Sections (30 requirements: L1 8, L2 19, L3 3)
Injection PreventionSanitizationSafe Deserialization
Quick self check
Read chapter V1 in the official OWASP ASVS →
โœ”๏ธ V2 Validation and Business Logic 13 reqs

Checks that input is valid and that business rules cannot be abused or automated.

Why it matters

Attackers break workflows by sending unexpected values or by repeating actions at machine speed. Validation and anti automation controls keep your logic safe.

What it checks
  • Validate input against a strict schema of what you expect, on the server.
  • Enforce business rules in order, so steps cannot be skipped or replayed.
  • Add anti automation limits so bots cannot abuse sensitive actions.
Sections (13 requirements: L1 4, L2 7, L3 2)
Input ValidationBusiness Logic SecurityAnti-automation
Quick self check
Read chapter V2 in the official OWASP ASVS →
๐Ÿ–ฅ๏ธ V3 Web Frontend Security 31 reqs

Protects the browser side of your app with secure cookies, headers, and a strong Content Security Policy.

Why it matters

The browser runs your code next to untrusted content. Cookie flags, security headers, and origin rules decide how much damage a frontend flaw can cause.

What it checks
  • Set a Content Security Policy to limit which scripts can run.
  • Set HttpOnly, Secure, and SameSite on session cookies.
  • Send browser security headers and keep origins separated.
Sections (31 requirements: L1 8, L2 11, L3 12)
Cookie SetupBrowser Security HeadersBrowser Origin Separation
Quick self check
Read chapter V3 in the official OWASP ASVS →
๐Ÿ”Œ V4 API and Web Service 16 reqs

Secures REST, GraphQL, and WebSocket APIs against abuse and malformed requests.

Why it matters

APIs are a direct path to your data. They need authentication, input checks, and limits just like any page, plus protection for their specific protocols.

What it checks
  • Authenticate and authorize every API call, and never trust the client.
  • Validate the structure of each request and reject malformed messages.
  • Apply rate limits and add specific rules for GraphQL and WebSocket.
Sections (16 requirements: L1 2, L2 8, L3 6)
Generic Web Service SecurityHTTP Message ValidationGraphQLWebSocket
Quick self check
Read chapter V4 in the official OWASP ASVS →
๐Ÿ“ V5 File Handling 13 reqs

Handles uploads, storage, and downloads so files cannot be used to attack your app.

Why it matters

Uploaded files can carry malware, overwrite data, or run as code. Safe handling of upload, storage, and download closes these paths.

What it checks
  • Check file type and size, and store uploads outside the web root.
  • Give stored files safe names and never run them as code.
  • Control downloads so users cannot reach files they should not.
Sections (13 requirements: L1 4, L2 5, L3 4)
File Upload and ContentFile StorageFile Download
Quick self check
Read chapter V5 in the official OWASP ASVS →
๐Ÿ” V6 Authentication 47 reqs

Proves who a user is with strong passwords, multifactor authentication, and safe recovery.

Why it matters

Authentication is the front door of your app. Weak passwords, missing multifactor, and unsafe recovery let attackers in with stolen or guessed credentials.

What it checks
  • Block breached and weak passwords, and do not limit password length or characters unfairly.
  • Offer multifactor authentication and protect the account recovery flow.
  • Rate limit and lock out repeated failed logins to stop brute force and credential stuffing.
Sections (47 requirements: L1 13, L2 22, L3 12)
Password SecurityGeneral AuthenticationMultifactor AuthenticationRecovery
Quick self check
Read chapter V6 in the official OWASP ASVS →
๐Ÿชช V7 Session Management 19 reqs

Keeps a user logged in safely with strong session ids, timeouts, and clean logout.

Why it matters

A session id is a temporary key to an account. If it is weak, never expires, or is not destroyed on logout, attackers can take over sessions.

What it checks
  • Generate long random session ids and regenerate them on login.
  • Set idle and absolute timeouts, and end the session on the server at logout.
  • Defend against session abuse such as fixation and reuse.
Sections (19 requirements: L1 6, L2 12, L3 1)
Fundamental Session SecuritySession TimeoutSession TerminationSession Abuse Defenses
Quick self check
Read chapter V7 in the official OWASP ASVS →
๐Ÿšฆ V8 Authorization 13 reqs

Makes sure users can only do and see what they are allowed to.

Why it matters

Authentication proves who you are. Authorization decides what you may do. Missing checks lead to broken access control, the top risk in the OWASP Top 10.

What it checks
  • Check permissions on the server for every action, not only in the interface.
  • Follow least privilege, so each user and service gets the minimum access it needs.
  • Enforce authorization at the operation and data level, not just the page.
Sections (13 requirements: L1 4, L2 3, L3 6)
General Authorization DesignOperation Level AuthorizationData Level Authorization
Quick self check
Read chapter V8 in the official OWASP ASVS →
๐ŸŽซ V9 Self-contained Tokens 7 reqs

Secures tokens such as JWTs so they cannot be forged or misused.

Why it matters

Self contained tokens carry their own trust. If they are signed weakly, never checked, or hold secrets, attackers can forge access or read sensitive data.

What it checks
  • Verify the signature and reject the none algorithm and any unexpected algorithm.
  • Check issuer, audience, expiry, and purpose on every token.
  • Never store secrets in a token payload, since it is only encoded, not encrypted.
Sections (7 requirements: L1 4, L2 3, L3 0)
Token Source and IntegrityToken Content
Quick self check
Read chapter V9 in the official OWASP ASVS →
๐Ÿค V10 OAuth and OIDC 36 reqs

Secures delegated login and access with OAuth 2.0 and OpenID Connect.

Why it matters

OAuth and OpenID Connect power social login and third party access. Small mistakes in flows, redirects, or token handling can expose whole accounts.

What it checks
  • Use the authorization code flow with PKCE and validate redirect uris strictly.
  • Validate tokens and the state parameter to stop forgery and mix up attacks.
  • Manage consent and scopes carefully on both client and server.
Sections (36 requirements: L1 5, L2 24, L3 7)
OAuth ClientOAuth Resource ServerAuthorization ServerOIDCConsent Management
Quick self check
Read chapter V10 in the official OWASP ASVS →
๐Ÿ”‘ V11 Cryptography 24 reqs

Uses strong, current cryptography for hashing, encryption, and random values.

Why it matters

Weak or misused cryptography exposes passwords and data. This chapter covers safe algorithms, correct password hashing, and secure random values.

What it checks
  • Hash passwords with bcrypt, scrypt, or Argon2, never with plain SHA or MD5.
  • Use strong, current encryption algorithms and manage keys safely.
  • Generate random values with a cryptographically secure source.
Sections (24 requirements: L1 3, L2 11, L3 10)
Encryption AlgorithmsHashingRandom ValuesPublic Key Cryptography
Quick self check
Read chapter V11 in the official OWASP ASVS →
๐Ÿ”’ V12 Secure Communication 12 reqs

Encrypts data in transit with correct TLS everywhere.

Why it matters

Without strong TLS, attackers can read or change traffic. This chapter covers HTTPS for public services and encryption for internal service calls.

What it checks
  • Serve all traffic over HTTPS and enable HSTS.
  • Use current TLS versions and strong settings, and disable old ones.
  • Encrypt service to service traffic inside your network too.
Sections (12 requirements: L1 3, L2 6, L3 3)
General TLS GuidanceHTTPS for External ServicesService to Service Security
Quick self check
Read chapter V12 in the official OWASP ASVS →
โš™๏ธ V13 Configuration 21 reqs

Keeps secrets, dependencies, and defaults safe in every environment.

Why it matters

Insecure defaults, leaked secrets, and noisy errors give attackers easy wins. Good configuration removes them before release.

What it checks
  • Store secrets in a secret manager, never in code or version control.
  • Remove default accounts, debug modes, and verbose errors in production.
  • Keep dependencies current and configure backend communication safely.
Sections (21 requirements: L1 1, L2 12, L3 8)
Backend CommunicationSecret ManagementUnintended Information Leakage
Quick self check
Read chapter V13 in the official OWASP ASVS →
๐Ÿ›ก๏ธ V14 Data Protection 13 reqs

Protects sensitive data at rest, in the client, and through its full life.

Why it matters

Sensitive data needs care wherever it lives. This chapter limits caching, controls client storage, and reduces how much data you keep.

What it checks
  • Classify sensitive data and limit how long you keep it.
  • Control client side storage and caching of sensitive values.
  • Apply protection based on how sensitive each field is.
Sections (13 requirements: L1 2, L2 7, L3 4)
General Data ProtectionClient-side Data Protection
Quick self check
Read chapter V14 in the official OWASP ASVS →
๐Ÿ›๏ธ V15 Secure Coding and Architecture 21 reqs

Builds security into design, dependencies, and safe coding practices.

Why it matters

Many flaws come from design choices and unsafe code patterns. Threat modeling, safe dependencies, and defensive coding prevent them early.

What it checks
  • Threat model your design to find risks before you build.
  • Track dependencies and remove unsafe or unused ones.
  • Write defensive code and handle concurrency safely.
Sections (21 requirements: L1 3, L2 10, L3 8)
Security Architecture and DependenciesDefensive CodingSafe Concurrency
Quick self check
Read chapter V15 in the official OWASP ASVS →
๐Ÿ“‹ V16 Security Logging and Error Handling 17 reqs

Records security events safely and fails without leaking details.

Why it matters

Without good logs you cannot detect or investigate attacks. Poor error handling can leak secrets. This chapter balances both.

What it checks
  • Log security events such as logins, failures, and access changes.
  • Protect logs from tampering and never log secrets or sensitive data.
  • Return generic errors to users and keep the detail in server logs.
Sections (17 requirements: L1 0, L2 16, L3 1)
General LoggingSecurity EventsLog ProtectionError Handling
Quick self check
Read chapter V16 in the official OWASP ASVS →
๐Ÿ“น V17 WebRTC 12 reqs

Secures real time audio, video, and data channels in the browser.

Why it matters

WebRTC powers calls and live data in the browser. Its TURN servers, media, and signaling each need protection against abuse and interception.

What it checks
  • Secure and authenticate TURN servers to stop relay abuse.
  • Encrypt media and protect the signaling channel.
  • Validate signaling messages to prevent hijacking.
Sections (12 requirements: L1 0, L2 7, L3 5)
TURN ServerMediaSignaling
Quick self check
Read chapter V17 in the official OWASP ASVS →

Based on the OWASP Application Security Verification Standard 5.0, licensed under CC BY SA. This explorer is a plain English learning aid, not the official standard.

ASVS FAQ

The OWASP Application Security Verification Standard (ASVS) is an open list of security requirements for web applications and APIs. It gives teams a shared, testable definition of what a secure application looks like. Version 5.0 has 17 chapters and 345 requirements.
Level 1 is basic protection every app should have and can mostly be checked from the outside. Level 2 is the recommended standard for most apps that handle personal or business data. Level 3 is the highest assurance, for critical systems such as finance, health, and safety.
ASVS 5.0 has 17 chapters, covering encoding, validation, web frontend security, APIs, file handling, authentication, session management, authorization, tokens, OAuth and OIDC, cryptography, secure communication, configuration, data protection, secure coding, logging, and WebRTC.
No. This explorer is a plain English guide to the ASVS structure, built by RestingOwl to make the standard easier to learn. It explains what each chapter verifies, why it matters, and how to meet it. Always read the official OWASP ASVS for the exact, testable requirements.
Start with Level 1 across the chapters that match your app, then aim for Level 2 as your standard. For most teams, authentication, session management, authorization, and encoding are the highest value chapters to review first.
Copied!