The following list is the summary of the recommended controls in the OWASP Top 10 2010 document. OWASP has become the de-facto international standard body in the field of Web Application Security. The recommendations below are then the state of the art for Web Application Security. Following these guidelines should improve the overall security posture of most Web Applications.

01. Prevent Injection Vulnerabilities

+ Use Parameterized APIs for Data Access
+ Use Positive Input Validation
+ Avoid Using Command Interpreters
+ Escape Special Characters, If Parameterized APIs Are Not Available

02. Prevent XSS Vulnerabilities

+ Escape All Untrusted Data in HTML Contexts
+ Use Positive Input Validation

03. Secure Authentication and Session Management Functionality

+ Centralize Authentication and Session Management Controls
+ Protect Session IDs from XSS

04. Prevent Insecure Direct Object Reference Vulnerabilities

+ Use Per-User or Per-Session Indirect Object References
+ [OR] Check Access Control Permissions Whenever Performing Direct Object References
+ Disable Directory Browsing

05. Prevent Cross-Site Request Forgery Vulnerabilities

+ Include Unique Tokens in HTTP Requests

06. Prevent Security Misconfiguration Vulnerabilities

+ Establish A Repeatable Hardening Process
+ Keep Up with Security Updates
+ Design a Strong Application Architecture
+ Run Scans and Perform Audits

07. Prevent Insecure Cryptographic Storage Vulnerabilities

+ Consider the Threats You Plan to Protect Data from
+ Encrypt Off-site Backups
+ Ensure Strong Algorithms Are Used
+ Hash and Salt Passwords
+ Protect Keys and Passwords

08. Prevent Failure to Restrict URL Access Vulnerabilities

+ Require Authentication and Authorization for Each Sensitive Page
+ Use Role-based Authentication and Authorization
+ Make Authentication and Authorization Policies Configurable
+ Deny All Access by Default

09. Prevent Insufficient Transport Layer Protection Vulnerabilities

+ Enable SSL
+ Use SSL for All Sensitive Pages
+ Set the Secure Flag on All Sensitive Cookies
+ Use Only Strong SSL Algorithms
+ Use Valid SSL Certificates
+ Secure Backend Connections

10. Prevent Unvalidated Redirects and Forwards Vulnerabilities

+ Don't Use Redirects or Forwards, If Possible
+ Don't Use User Input for Calculating Destinations of Redirects or Forwards
+ Use Mapping Values When Calculating Destinations of Redirects or Forwards

A-1. Authentication Requirements

+ Require Authentication for All Private Pages
+ All Password Fields Are Masked
+ Lock Accounts After Multiple Failed Authentication Attempts
+ Use Server-side Authentication
+ Centralize All Authentication Controls
+ Make Sure Authentication Controls Fail Securely
+ Require Strong Authentication Credentials
+ Secure the Account Management Functions
+ Secure the Credential (Password) Changing Functions
+ Require Re-authentication for Sensitive Operations
+ Force Authentication Credentials to Expire
+ Log Authentication Events
+ Hash and Salt Passwords
+ Protect Authentication Credentials for External Resources

A-2. Session Management Requirements

+ Use Session Management Offered by the Framework
+ Invalidate Sessions when Users Log Out
+ Make Inactive Sessions Time-out
+ Make Sessions Time-out
+ Place Logout Links on All Pages that Require Authentication
+ Protect Session IDs
+ Change Session IDs on Login
+ Change Session IDs on Reauthentication
+ Change Session IDs on Logout
+ Reject Invalid Session IDs
+ Use Strong Session IDs
+ Set the Domain and Path Values of Session Cookies