👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • Email confirmation link
  • Email confirmation code
  • References
  1. Web Application
  2. Authentication

Email Address Confirmation

PreviousOne Time Password (OTP)NextAuthorization

Last updated 1 year ago

Overview

This page contains recommendations for validation and confirmation email addresses.

General

  • Implement a validation of an email address. Include at least the following:

    • An email address contains two parts, separated by an @ symbol.

    • An email address does not contain at least the following characters:

      • backticks `

      • single quotes '

      • double quotes "

      • null bytes \x00

      • new line \x0A

      • new page \x0D

      • comma ,

      • semicolon :

    • The domain part contains only letters, numbers, hyphens - and periods ..

    • The local part (before the @) should be no more than 63 characters.

    • The total length should be no more than 254 characters.

  • Validate email address is correct and legitimate:

  • Do not automatically sign in a user after email address confirmation. Once a user confirms the ownership of an email address, send them to a usual login mechanism (with multi-factor authentication, if enabled).

Email confirmation link

  • Send a confirmation URL to a user's email and pass a random token in the query string of the URL. For example:

    https://website.local/account/email/confirm?token=GiOzXAwlZ17NsW4CkVV8MQXtiQN9cWiY
  • Use a random token length of 32+ bytes.

  • Set a short expiration time for a random token (~ 24 hours).

  • Use a random token once. Delete a random token or transfer it to a final status that prohibits reusing.

Email confirmation code

  • Send a One-Time Password (OTP) to a user's email.

References

Log successful and failed email address confirmation attempts, see the page.

Comply with requirements from the page.

Generate a random token using a cryptographically strong random generator, see the page.

Comply with the requirements from the page.

Logging and Monitoring
Error and Exception Handling
Cryptography: Random Generators
Authentication: One Time Password (OTP)
OWASP Cheat Sheet Series: Input Validation - Email address validation
Email confirmation link
Email confirmation code