security-checklist
Security audit checklist covering OWASP Top 10, authentication, and secure coding practices.
Installation
Details
Usage
After installing, this skill will be available to your AI coding assistant.
Verify installation:
skills listSkill Instructions
name: security-checklist description: Security audit checklist covering OWASP Top 10, authentication, and secure coding practices.
Security Checklist
Quick reference checklist for security audits.
1. OWASP Top 10 (2021+)
A01: Broken Access Control
- Authorization on all protected routes
- Deny by default
- Rate limiting implemented
- CORS properly configured
A02: Cryptographic Failures
- Passwords hashed (bcrypt/argon2, cost 12+)
- Sensitive data encrypted at rest
- TLS 1.2+ for all connections
- No secrets in code/logs
A03: Injection
- Parameterized queries
- Input validation on all user data
- Output encoding for XSS
- No eval() or dynamic code execution
A04: Insecure Design
- Threat modeling done
- Security requirements defined
- Business logic validated
A05: Security Misconfiguration
- Unnecessary features disabled
- Error messages sanitized
- Security headers configured
- Default credentials changed
A06: Vulnerable Components
- Dependencies up to date
- No known vulnerabilities
- Unused dependencies removed
A07: Authentication Failures
- MFA available
- Session invalidation on logout
- Session timeout implemented
- Brute force protection
A08: Integrity Failures
- Dependency integrity verified
- CI/CD pipeline secured
- Update mechanism secured
A09: Logging Failures
- Security events logged
- Logs protected
- No sensitive data in logs
- Alerting configured
A10: SSRF
- URL validation implemented
- Allow-list for external calls
- Network segmentation
2. Authentication Checklist
- Strong password policy
- Account lockout
- Secure password reset
- Session management
- Token expiration
- Logout invalidation
3. API Security Checklist
- Authentication required
- Authorization per endpoint
- Input validation
- Rate limiting
- Output sanitization
- Error handling
4. Data Protection Checklist
- Encryption at rest
- Encryption in transit
- Key management
- Data minimization
- Secure deletion
5. Security Headers
| Header | Purpose |
|---|---|
| Content-Security-Policy | XSS prevention |
| X-Content-Type-Options | MIME sniffing |
| X-Frame-Options | Clickjacking |
| Strict-Transport-Security | Force HTTPS |
| Referrer-Policy | Referrer control |
6. Audit Commands Reference
| Check | What to Look For |
|---|---|
| Secrets in code | password, api_key, secret |
| Dangerous patterns | eval, innerHTML, SQL concat |
| Dependency issues | npm audit, snyk |
Remember: Checklists catch obvious issues. Deep testing requires methodology.
More by xenitV1
View allAPI design principles and decision-making. REST vs GraphQL vs tRPC selection, response formats, versioning, pagination. Teaches thinking, not fixed patterns.
Defines different operational modes for AI behavior. Each mode optimizes for specific scenarios like brainstorming, implementation, or debugging.
Database design principles and decision-making. Schema design, indexing strategy, ORM selection, serverless databases. Teaches thinking, not fixed SQL.
Mobile-first design thinking and decision-making for iOS and Android apps. Touch interaction, performance patterns, platform conventions. Teaches principles, not fixed values. Use when building React Native, Flutter, or native mobile apps.