testsAndMisc/third_party/agent-skills/references/security-checklist.md

4.8 KiB

Security Checklist

Quick reference for web application security. Use alongside the security-and-hardening skill.

Table of Contents

Pre-Commit Checks

  • No secrets in code (git diff --cached | grep -i "password\|secret\|api_key\|token")
  • .gitignore covers: .env, .env.local, *.pem, *.key
  • .env.example uses placeholder values (not real secrets)

Authentication

  • Passwords hashed with bcrypt (≥12 rounds), scrypt, or argon2
  • Session cookies: httpOnly, secure, sameSite: 'lax'
  • Session expiration configured (reasonable max-age)
  • Rate limiting on login endpoint (≤10 attempts per 15 minutes)
  • Password reset tokens: time-limited (≤1 hour), single-use
  • Account lockout after repeated failures (optional, with notification)
  • MFA supported for sensitive operations (optional but recommended)

Authorization

  • Every protected endpoint checks authentication
  • Every resource access checks ownership/role (prevents IDOR)
  • Admin endpoints require admin role verification
  • API keys scoped to minimum necessary permissions
  • JWT tokens validated (signature, expiration, issuer)

Input Validation

  • All user input validated at system boundaries (API routes, form handlers)
  • Validation uses allowlists (not denylists)
  • String lengths constrained (min/max)
  • Numeric ranges validated
  • Email, URL, and date formats validated with proper libraries
  • File uploads: type restricted, size limited, content verified
  • SQL queries parameterized (no string concatenation)
  • HTML output encoded (use framework auto-escaping)
  • URLs validated before redirect (prevent open redirect)

Security Headers

Content-Security-Policy: default-src 'self'; script-src 'self'
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 0  (disabled, rely on CSP)
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()

CORS Configuration

// Restrictive (recommended)
cors({
  origin: ["https://yourdomain.com", "https://app.yourdomain.com"],
  credentials: true,
  methods: ["GET", "POST", "PUT", "PATCH", "DELETE"],
  allowedHeaders: ["Content-Type", "Authorization"],
});

// NEVER use in production:
cors({ origin: "*" }); // Allows any origin

Data Protection

  • Sensitive fields excluded from API responses (passwordHash, resetToken, etc.)
  • Sensitive data not logged (passwords, tokens, full CC numbers)
  • PII encrypted at rest (if required by regulation)
  • HTTPS for all external communication
  • Database backups encrypted

Dependency Security

# Audit dependencies
npm audit

# Fix automatically where possible
npm audit fix

# Check for critical vulnerabilities
npm audit --audit-level=critical

# Keep dependencies updated
npx npm-check-updates

Error Handling

// Production: generic error, no internals
res.status(500).json({
  error: { code: "INTERNAL_ERROR", message: "Something went wrong" },
});

// NEVER in production:
res.status(500).json({
  error: err.message,
  stack: err.stack, // Exposes internals
  query: err.sql, // Exposes database details
});

OWASP Top 10 Quick Reference

# Vulnerability Prevention
1 Broken Access Control Auth checks on every endpoint, ownership verification
2 Cryptographic Failures HTTPS, strong hashing, no secrets in code
3 Injection Parameterized queries, input validation
4 Insecure Design Threat modeling, spec-driven development
5 Security Misconfiguration Security headers, minimal permissions, audit deps
6 Vulnerable Components npm audit, keep deps updated, minimal deps
7 Auth Failures Strong passwords, rate limiting, session management
8 Data Integrity Failures Verify updates/dependencies, signed artifacts
9 Logging Failures Log security events, don't log secrets
10 SSRF Validate/allowlist URLs, restrict outbound requests