VaporSecurity

A community curated list of application security resources for Vapor developers.

Contributions

Contribute by submitting a pull request with changes or post resources in the #security channel in Vapor Discord.

Articles

• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery

Resources

• Vapor Security
  • Vapor
    • Articles
      • General
      • Authentication
    • Libraries
    • Application Security
    • General
    • Awesome Lists
    • Books
    • Newsletters
    • Testing
    • Podcasts
    • Tools
    • SSL
    • Misc

Vapor

Articles

General

• Security And Your Vapor Application | Blog | Geeks @ Broken Hands

Authentication

• Tutorial: How to build Basic Auth with Session – Martin Lasek – Medium
• Basic Authentication with Vapor 3 – Rocket Fuel – Medium
• Token Authentication in Vapor 3 - Vapor Forums
• Username/Password Authentication in Vapor 3 - Vapor Forums
• HTTP Basic Authorization in Vapor 3 - Vapor Forums

Libraries

• brokenhandsio/vapor-oauth-fluent - Fluent Implementations For Vapor OAuth
• brokenhandsio/vapor-oauth - OAuth2 Provider Library for Vapor
• brokenhandsio/VaporSecurityHeaders - Harden Your Security Headers For Vapor
• gotranseo/vapor-recaptcha - A Vapor 3 library for validating Google reCAPTCHA submissions
• vapor-community/bcrypt - Swift implementation of the BCrypt password hashing function
• vapor-community/CSRF - A package to add protection to Vapor against CSRF attacks
• vapor-community/Imperial - Federated Authentication with OAuth providers
• vapor-community/moat - A line of defense for your Vapor application including XSS attack filtering + extras.
• vapor-community/tls - Non-blocking, event-driven TLS built on OpenSSL & macOS security
• vapor/auth - Authentication and Authorization layer for Fluent

Application Security

General

• Open Web Application Security Project (OWASP) - An open source community project that provides impartial, practical information about application security
• OWASP Top Ten Project - The top 10 most critical web application security risks

Awesome Lists

• paragonie/awesome-appsec - A curated list of resources for learning about application security
• qazbnm456/awesome-web-security - A curated list of Web Security materials and resources
• andriisoldatenko/awesome-security-testing - A collection of awesome Security testing resources
• PaulSec/awesome-sec-talks - A curated list of awesome Security talks

Books

• The Web Application Hacker’s Handbook - Comprehensive guide to security testing web applications
• Web Hacking 101 by Peter Yaworski - Explains common web vulnerabilities and exploit techniques by analyzing publicly disclosed vulnerabilities.
• Breaking into Information by Andy Gill - Beginner guide to web application penetration testing

Newsletters

• Simpsonpt/AppSecEzine: AppSec Ezine - Overview of the latest topics in application security
• Zero Daily - HackerOne - Daily newsletter focusing on focus on application security and bug bounty topics

Testing

• danielmiessler/SecLists - A collection of multiple types of lists used during security assessments
• Using Burp to Test for the OWASP Top Ten - A tutorial on how to use Burp Suite to find the vulnerabilities listed in the OWASP Top 10
• OWASP Testing Guide v4 - A guide on how to perform Web Application Penetration Testing

Podcasts

• Application Security Weekly - Paul’s Security Weekly - Podcast that explains development to security professionals
• Application Security PodCast - Podcast that explain the fundamentals of application security

Tools

• Burp Suite - PortSwigger - Intercepting proxy and suite of web application security tools

• OWASP Zed Attack Proxy (ZAP) - Free and open source web application testing tool

SSL

• Let’s Encrypt - A free, automated, and open Certificate Authority.

Misc

• security.txt - A proposed standard which allows websites to define security policies