Security

OWASP Top 10 (2025)

Industry consensus on the ten most critical web application security risks. The 2025 edition is current; 2021 is superseded but still widely referenced.

Authority: OWASP Foundation
Version: 2025
Jurisdiction: Global
Source: owasp.org
Last reviewed: 2026-04-28
Last verified: pending

What it is

The OWASP Top 10 is a regularly-updated list of the most critical security risks to web applications, derived from a community survey plus large-scale data analysis of vulnerability prevalence. Used as the de facto bar in penetration testing scopes and SDLC requirements.

Why it matters

Your AppSec program should provably address every Top 10 risk — broken access control, cryptographic failures, injection, insecure design, misconfiguration, vulnerable components, auth failures, integrity failures, logging gaps, SSRF. Most security questionnaires reference it directly.

Who it applies to

Every web application — the Top 10 is the baseline, not the ceiling.

How WQI scores it

Web Quality Index considers this standard satisfied when all of the 3 supporting factors pass.

#	Factor	Status
4	Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options)	live
6	WordPress REST API user enumeration exposure	live
7	Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)	live

Related standards

See also: NIST CSF , CSP 3 , SRI

Standards that share factors with this one

Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.

Other references

spec OWASP Top 10 — 2025 release
guidance OWASP Cheat Sheet Series