Lista de verificação de auditoria de segurança de QR Code
Comprehensive security checklist for QR code deployments: generation, distribution, scanning, data handling, and incident response.
QR Code Security Audit Checklist
This comprehensive checklist covers security review for QR code generation, deployment, scanning infrastructure, and incident response.
Generation Security
- [ ] QR codes are generated on trusted, controlled systems
- [ ] Input data is validated and sanitised before encoding
- [ ] HTTPS URLs only — no HTTP links
- [ ] URLs use domains you own and control (not third-party shorteners for critical codes)
- [ ] Dynamic QR codes use authenticated management interfaces
- [ ] API keys for QR generation platforms are rotated regularly
- [ ] Generated QR codes are verified by scanning before deployment
Deployment Security
- [ ] Physical QR codes use tamper-evident materials where appropriate
- [ ] Installation locations are documented and photographed
- [ ] Regular physical audits scheduled (weekly for high-traffic locations)
- [ ] Quiet zone is maintained to prevent scanning adjacent content
- [ ] QR code purpose and destination are clearly labeled (CTA)
- [ ] Fallback URL is displayed in readable text
URL and Redirect Security
- [ ] Destination URLs use HTTPS with valid certificates
- [ ] Domain registrations have auto-renewal enabled
- [ ] Dynamic QR redirect platform has uptime SLA
- [ ] URL redirect chains are minimised (each hop adds failure and attack surface)
- [ ] Link rot monitoring is active
- [ ] Domain names are monitored for lookalike registrations
Data Protection
- [ ] GDPR and local privacy regulations are addressed
- [ ] Privacy policy covers QR code scan data collection
- [ ] Scan data retention policy is defined and enforced
- [ ] Personal data in QR codes (contacts, health data) is minimised
- [ ] Encrypted or signed QR codes used for sensitive data
Incident Response
- [ ] Incident response plan covers QR code compromise
- [ ] Dynamic QR codes can be deactivated immediately
- [ ] Physical QR code replacement procedure is documented
- [ ] User notification process is defined
- [ ] Post-incident review updates security controls
Key Takeaways
- Security audit should cover generation, deployment, URLs, data, and incidents
- Physical audits are as important as technical controls
- Domain auto-renewal and monitoring prevent hijacking
- Data protection compliance (GDPR) applies to QR code scan data
- Incident response must cover both digital and physical compromise