OWASP Developer Guide

Enforce Access Controls Checklist

4.2.7 Checklist: Enforce Access Controls

Access Control (or Authorization) is the process of granting or denying specific requests from a user, program, or process.

Refer to proactive control C7: Enforce Access Controls for more context from the OWASP Top 10 Proactive Controls project, and use the list below as suggestions for a checklist that has been tailored for the individual project.


  • Design access control / authorization thoroughly up-front
  • Force all requests to go through access control checks unless public
  • Deny by default; if a request is not specifically allowed then it is denied
  • Apply least privilege, providing the least access as is necessary
  • Log all authorization events

Access control

  • Enforce authorization controls on every request
  • Use only trusted system objects for making access authorization decisions
  • Use a single site-wide component to check access authorization
  • Access controls should fail securely
  • Deny all access if the application cannot access its security configuration information
  • Segregate privileged logic from other application code
  • Limit the number of transactions a single user or device can perform in a given period of time, low enough to deter automated attacks but above the actual business requirement
  • If long authenticated sessions are allowed, periodically re-validate a user’s authorization
  • Implement account auditing and enforce the disabling of unused accounts
  • The application must support termination of sessions when authorization ceases


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.