rodin/security-patterns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
5 Commits 2 Branches 0 Tags
master
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Rodin 1eac5d3bcc Add CSP, file upload, open redirect, clickjacking patterns 
Complete security patterns collection (23 total):
- csp.md: nonces, hashes, strict-dynamic, reporting
- file-upload.md: content validation, path traversal, malware scanning
- open-redirect.md: URL validation, OAuth redirect URI, bypass techniques
- clickjacking.md: X-Frame-Options, frame-ancestors CSP

Comprehensive coverage for web application security review.
2026-05-10 23:24:52 -07:00
audit-logging.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
authentication.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
authorization.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
clickjacking.md
Add CSP, file upload, open redirect, clickjacking patterns
2026-05-10 23:24:52 -07:00
cors.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00
credential-handling.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
cryptography.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
csp.md
Add CSP, file upload, open redirect, clickjacking patterns
2026-05-10 23:24:52 -07:00
deserialization.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
dos-prevention.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
error-handling.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
file-upload.md
Add CSP, file upload, open redirect, clickjacking patterns
2026-05-10 23:24:52 -07:00
injection-prevention.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
input-validation.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
jwt-security.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
open-redirect.md
Add CSP, file upload, open redirect, clickjacking patterns
2026-05-10 23:24:52 -07:00
prompt-injection.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
race-conditions.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
README.md
Add CSP, file upload, open redirect, clickjacking patterns
2026-05-10 23:24:52 -07:00
secure-defaults.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
session-management.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00
ssrf.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
supply-chain.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
xxe.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00

README.md

Security Patterns

Scannable patterns for security code review. Each file has:

  • Rule — what to do
  • Correct Pattern — code that works (Python)
  • Incorrect Pattern — common mistakes
  • Edge Cases — gotchas

Based on OWASP Top 10:2025 and recent security research.

Patterns

Fundamentals

File Topic OWASP 2025
secure-defaults.md Fail closed, deny by default, defense in depth A06
input-validation.md Allowlist > blocklist, validate at boundaries A03
credential-handling.md No hardcoded secrets, environment/secret manager
audit-logging.md What to log, what not to log A09
error-handling.md Fail closed, no sensitive info in errors A10

Identity & Session

File Topic OWASP 2025
authentication.md Passwords, tokens, MFA, brute force protection A07
authorization.md Permission checks, IDOR prevention, privilege escalation A01
jwt-security.md Algorithm confusion, weak secrets, expiration A07
session-management.md Session fixation, hijacking, secure cookies A07

Injection & Request Attacks

File Topic OWASP 2025
injection-prevention.md SQL, command, template, path traversal A05
ssrf.md Server-side request forgery, metadata endpoints A10
xxe.md XML external entities, DTD attacks A05
deserialization.md Untrusted data deserialization, pickle, yaml A08
open-redirect.md URL validation, OAuth redirect URI A01

Client-Side Security

File Topic OWASP 2025
csp.md Content Security Policy, nonces, hashes A05
cors.md Origin validation, credential handling A01
clickjacking.md X-Frame-Options, frame-ancestors A01

Application Logic

File Topic OWASP 2025
race-conditions.md TOCTOU, atomic check-and-act, database locks
dos-prevention.md Rate limiting, resource bounds, algorithmic complexity
file-upload.md Content validation, safe storage, malware scanning A04

AI/LLM Security

File Topic OWASP 2025
prompt-injection.md LLM security, data/instruction separation

Infrastructure

File Topic OWASP 2025
supply-chain.md SBOM, dependency scanning, signed packages A03
cryptography.md Strong algorithms, key management, TLS A04

OWASP Top 10:2025 Coverage

# Category Patterns
A01 Broken Access Control authorization, cors, clickjacking, open-redirect
A02 Security Misconfiguration secure-defaults
A03 Software Supply Chain Failures supply-chain
A04 Cryptographic Failures cryptography, file-upload
A05 Injection injection-prevention, xxe, csp
A06 Insecure Design secure-defaults
A07 Authentication Failures authentication, jwt-security, session-management
A08 Software or Data Integrity Failures deserialization
A09 Security Logging and Alerting Failures audit-logging
A10 Mishandling of Exceptional Conditions error-handling, ssrf

Sources

Usage

Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Security patterns for code review — credentials, validation, injection, DOS, prompt injection
Readme 88 KiB
Languages
Markdown 100%