Skip to end of metadata
Go to start of metadata

This is the online version of TSS-WEB, a document that consists of exemplary content for a (mainly) technical security standard for web-based applications and services. It may be used as a template for a custom organization-specific security standard or just a collection of suggestions of baseline requirements for teams and projects. All requirements in this documents are based on common best practices (including those from OWASP and WASC of course) as well as our own experiences in this field.

We are constantly improving and extending this content to intragrate new developments, threats and best practices in it.

Note About English Translation

This is the first English translation of the original German document that has been worked on for a while in the community. This version may therefore consist of some translation “bugs” which is why it is still in DRAFT state.

Additional Security Content

You need additional security content for Confluence (can be integrated into MS SharePoint) such as threat intelligence or secure coding guidelines for Java EE, JSF, ASP.NET, Angular etc. with code snippets that you can customize to your own needs? Than have a look at our Security Content for Confluence offering. 


The objective of TSS-WEB is to providing a framework for high-level application security requirements that can be adapted by organizations and used to map implementation-specific coding guidelines, e.g. for Web frameworks such as ASP.NET, JSF or PHP Symfony. Wikis such as Confluence are a great documentation tool for that.


This site is maintained by Secodis GmbH. Responsible for the content is Matthias Rohr.

Table of Contents

Feedback Appreciated!

Feeback about this content is very much apreciated! Please send it via mail to tss-web (at)



TSS-WEB-v1.5-EN (MS Word)


TSS-WEB-v1.5-DE (MS Word)

Recent Changes

There have been a number of content changes since v1.5 that haven't been released yet. They are highlighted using blue color and currently affect the following sections:

  • No labels