# Security Review Checklist

Focused prompts for code review. Models know *what* these are - this is a checklist to ensure nothing is missed.

## Input & Validation

- [ ] All external input validated (allowlist preferred over blocklist)
- [ ] SQL/NoSQL queries use parameterized statements, never string interpolation
- [ ] Command execution avoids shell when possible; if required, use allowlist for commands/args
- [ ] Path traversal prevented (resolve base + canonicalize + verify prefix)
- [ ] XML parsing disables external entities (XXE)
- [ ] Deserialization uses safe formats (JSON) or strict type allowlists

## Authentication & Sessions

- [ ] Passwords hashed with bcrypt/argon2/scrypt (not sha256/md5)
- [ ] Timing-safe comparison for secrets (`hmac.compare_digest`, `crypto.timingSafeEqual`)
- [ ] Session tokens cryptographically random, sufficient entropy (≥128 bits)
- [ ] Session invalidated on logout and password change
- [ ] JWT: verify signature, check `exp`/`iat`/`nbf`, validate `iss`/`aud`, reject `alg: none`
- [ ] MFA for sensitive operations

## Authorization

- [ ] Server-side enforcement (never trust client for authz)
- [ ] Check ownership on every resource access (IDOR prevention)
- [ ] Principle of least privilege for service accounts and API keys
- [ ] Admin functions have explicit role checks

## Secrets & Credentials

- [ ] No hardcoded secrets in code or config files
- [ ] Secrets loaded from environment/vault at runtime
- [ ] API keys have minimal scopes
- [ ] Credentials never logged (even at debug level)

## Request Handling

- [ ] SSRF: validate/allowlist URLs before server-side requests; block internal IPs
- [ ] Open redirect: validate redirect targets against allowlist
- [ ] CSRF tokens on state-changing operations
- [ ] Rate limiting on authentication and expensive endpoints
- [ ] Request size limits enforced

## Response & Headers

- [ ] CSP header set (script-src, default-src)
- [ ] CORS: explicit origin allowlist, avoid `*` with credentials
- [ ] X-Frame-Options or CSP frame-ancestors (clickjacking)
- [ ] Sensitive data not in URLs (appears in logs/referer)
- [ ] Error messages don't leak internals (stack traces, SQL, file paths)

## Concurrency & State

- [ ] Race conditions: use transactions or locks for check-then-act patterns
- [ ] TOCTOU: verify state at moment of action, not before
- [ ] Idempotency keys for payment/critical operations
- [ ] Optimistic locking where appropriate

## File Operations

- [ ] Upload: validate content type (magic bytes, not just extension)
- [ ] Upload: store outside webroot or with non-executable permissions
- [ ] Upload: generate random filenames, don't use user-provided names
- [ ] Serve user content with `Content-Disposition: attachment` or from separate domain

## Logging & Audit

- [ ] Security events logged: auth success/failure, privilege changes, sensitive access
- [ ] Logs don't contain secrets, tokens, or full credentials
- [ ] Logs are immutable/append-only for forensics
- [ ] Structured logging with correlation IDs

## Dependencies & Supply Chain

- [ ] Dependencies pinned to exact versions
- [ ] Lockfile committed and verified in CI
- [ ] Dependency audit in CI pipeline
- [ ] Minimal dependencies (smaller attack surface)

## AI/LLM Specific

- [ ] User input clearly delimited from system instructions
- [ ] Output validation before tool execution
- [ ] Rate limiting on LLM-powered features
- [ ] No secrets accessible to LLM context

---

## When to Escalate

Flag for human security review if:
- Crypto implementation (not just usage of established libraries)
- Authentication/authorization architecture changes
- New external integrations with sensitive data
- Payment or financial transaction handling
- Changes to logging/audit infrastructure