Skip to end of metadata
Go to start of metadata

This is the online version of TSS-WEB, a document that consists of exemplary content for a (mainly) technical security standard for web-based applications and services as well as a general development policy.

It can be used as a template for your own organization-specific security standard / policy or just as a collection of suggestions for baseline requirements. All of these requirements are based on common best practices (including those from OWASP of course) as well as our own experiences in this field.

We are constantly improving and extending this content to cover new threats and integrate new technologies, controls and best practices in it.

 Version 1.6 Released: We are releasing a new version with a large number of changes and coverage of the latest security best practice Refer to the Changelog for an overview of the changes we've made.


The objective of TSS-WEB is to provide a framework for high-level application security requirements that can be adapted by organizations and used to map implementation-specific coding guidelines, e.g. for web frameworks such as Angular, ASP.NET, JSF or PHP Symfony. Wikis such as Confluence are a great documentation tool for that.

Secure Coding Guidelines for Confluence

If you are looking for secure coding guidelines that complement these requirements, you might have a look at our Security Content for Confluence that we provide as an export for Atlassian Confluence and that can be easily integrated into MS SharePoint as well.

We provide a comprehensive threat library, guidelines and implementation notes for a number of programming languages and frameworks that you can extend to your own needs.


This site is maintained by Secodis GmbH. Responsible for the content is Matthias Rohr.

Table of Contents

Feedback Appreciated!

Feedback on this content is always very much welcome! Please send it via mail to tss-web (at)


  • No labels