From 705ecc10c93a58ba8d11a16388e54a1d5d6b7abd Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 9 May 2024 13:48:15 +0300 Subject: [PATCH] Add a recommendation on the HSTS preload list to resolve #1941 (#1952) * Add a recommendation on the HSTS preload list to resolve #1941 * Clarify wording --- 5.0/en/0x99-Appendix-X_Recommendations.md | 1 + 1 file changed, 1 insertion(+) diff --git a/5.0/en/0x99-Appendix-X_Recommendations.md b/5.0/en/0x99-Appendix-X_Recommendations.md index b5fcc81ad8..f62b2757c1 100644 --- a/5.0/en/0x99-Appendix-X_Recommendations.md +++ b/5.0/en/0x99-Appendix-X_Recommendations.md @@ -14,6 +14,7 @@ The following items are in-scope for ASVS. We don't think they should be made ma * Create a publicly available security.txt file at the root or .well-known directory of the application that clearly defines a link or e-mail address for people to contact owners about security issues. * Client-side input validation should be enforced in addition to validation at a trusted service layer as this provides a good opportunity to discover when someone has bypassed client-side controls in an attempt to attack the application. * Prevent accidentally accessible and sensitive pages from appearing in search engines using a robots.txt file, the X-Robots-Tag response header or a robots html meta tag. +* Use the HSTS preload list so that the use of TLS for the application will be built into the main browsers rather than only relying on the relevant HTTP response header. ## Software Security processes