Security Checklist
SkillQuick reference for web application security. Use alongside the `security-and-hardening` skill.
Security Checklist
Security Checklist
Quick reference for web application security. Use alongside the security-and-hardening skill.
Table of Contents
- Pre-Commit Checks
- Authentication
- Authorization
- Input Validation
- Security Headers
- CORS Configuration
- Data Protection
- Dependency Security
- Error Handling
- OWASP Top 10 Quick Reference
Pre-Commit Checks
- No secrets in code (
git diff --cached | grep -i "password\|secret\|api_key\|token") -
.gitignorecovers:.env,.env.local,*.pem,*.key -
.env.exampleuses placeholder values (not real secrets)
Authentication
- Passwords hashed with bcrypt (≥12 rounds), scrypt, or argon2
- Session cookies:
httpOnly,secure,sameSite: 'lax' - Session expiration configured (reasonable max-age)
- Rate limiting on login endpoint (≤10 attempts per 15 minutes)
- Password reset tokens: time-limited (≤1 hour), single-use
- Account lockout after repeated failures (optional, with notification)
- MFA supported for sensitive operations (optional but recommended)
Authorization
- Every protected endpoint checks authentication
- Every resource access checks ownership/role (prevents IDOR)
- Admin endpoints require admin role verification
- API keys scoped to minimum necessary permissions
- JWT tokens validated (signature, expiration, issuer)
Input Validation
- All user input validated at system boundaries (API routes, form handlers)
- Validation uses allowlists (not denylists)
- String lengths constrained (min/max)
- Numeric ranges validated
- Email, URL, and date formats validated with proper libraries
- File uploads: type restricted, size limited, content verified
- SQL queries parameterized (no string concatenation)
- HTML output encoded (use framework auto-escaping)
- URLs validated before redirect (prevent open redirect)
Security Headers
Content-Security-Policy: default-src 'self'; script-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0 (disabled, rely on CSP)
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
CORS Configuration
// Restrictive (recommended)
cors({
origin: ['https://yourdomain.com', 'https://app.yourdomain.com'],
credentials: true,
methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
})
// NEVER use in production:
cors({ origin: '*' }) // Allows any origin
Data Protection
- Sensitive fields excluded from API responses (
passwordHash,resetToken, etc.) - Sensitive data not logged (passwords, tokens, full CC numbers)
- PII encrypted at rest (if required by regulation)
- HTTPS for all external communication
- Database backups encrypted
Dependency Security
# Audit dependencies
npm audit
# Fix automatically where possible
npm audit fix
# Check for critical vulnerabilities
npm audit --audit-level=critical
# Keep dependencies updated
npx npm-check-updates
Error Handling
// Production: generic error, no internals
res.status(500).json({
error: { code: 'INTERNAL_ERROR', message: 'Something went wrong' }
});
// NEVER in production:
res.status(500).json({
error: err.message,
stack: err.stack, // Exposes internals
query: err.sql, // Exposes database details
});
OWASP Top 10 Quick Reference
| # | Vulnerability | Prevention |
|---|---|---|
| 1 | Broken Access Control | Auth checks on every endpoint, ownership verification |
| 2 | Cryptographic Failures | HTTPS, strong hashing, no secrets in code |
| 3 | Injection | Parameterized queries, input validation |
| 4 | Insecure Design | Threat modeling, spec-driven development |
| 5 | Security Misconfiguration | Security headers, minimal permissions, audit deps |
| 6 | Vulnerable Components | npm audit, keep deps updated, minimal deps |
| 7 | Auth Failures | Strong passwords, rate limiting, session management |
| 8 | Data Integrity Failures | Verify updates/dependencies, signed artifacts |
| 9 | Logging Failures | Log security events, don't log secrets |
| 10 | SSRF | Validate/allowlist URLs, restrict outbound requests |
Imported from https://github.com/addyosmani/agent-skills by addyosmani. Licensed under MIT. Source: https://github.com/addyosmani/agent-skills/blob/main/references/security-checklist.md