Quiz Entry - updated: 2026.07.14
What are the testing and operational best practices for access control?
Five operational areas: exhaustive role × endpoint testing, logging access decisions, rate limiting, disabling directory listing, and cleaning leftover files from the web root.
| Area | Actions | Why |
|---|---|---|
| Extensive testing | Test all role × endpoint combinations. Use SAST/DAST tools. Pen-test. | Authorization bugs are logic bugs — hard to find without systematic testing |
| Logging & reporting | Log all access decisions. Alert on denied-access spikes. Audit trail. | Detect attacks in progress, prove compliance |
| Rate limiting | Limit requests per user/IP. Progressive delays. | Prevent brute-force IDOR enumeration |
| No directory listing | Disable auto-indexing on web servers | Prevents discovery of hidden endpoints/files |
| Clean web root | Remove .bak, .old, config files, source code |
Attackers scan for leftover files (e.g., config.php.bak) |