rodin/security-patterns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
master
security-patterns/README.md
T
Rodin 1eac5d3bcc Add CSP, file upload, open redirect, clickjacking patterns 
Complete security patterns collection (23 total):
- csp.md: nonces, hashes, strict-dynamic, reporting
- file-upload.md: content validation, path traversal, malware scanning
- open-redirect.md: URL validation, OAuth redirect URI, bypass techniques
- clickjacking.md: X-Frame-Options, frame-ancestors CSP

Comprehensive coverage for web application security review.
2026-05-10 23:24:52 -07:00

4.1 KiB
Raw Permalink Blame History

Security Patterns

Scannable patterns for security code review. Each file has:

  • Rule — what to do
  • Correct Pattern — code that works (Python)
  • Incorrect Pattern — common mistakes
  • Edge Cases — gotchas

Based on OWASP Top 10:2025 and recent security research.

Patterns

Fundamentals

File Topic OWASP 2025
secure-defaults.md Fail closed, deny by default, defense in depth A06
input-validation.md Allowlist > blocklist, validate at boundaries A03
credential-handling.md No hardcoded secrets, environment/secret manager
audit-logging.md What to log, what not to log A09
error-handling.md Fail closed, no sensitive info in errors A10

Identity & Session

File Topic OWASP 2025
authentication.md Passwords, tokens, MFA, brute force protection A07
authorization.md Permission checks, IDOR prevention, privilege escalation A01
jwt-security.md Algorithm confusion, weak secrets, expiration A07
session-management.md Session fixation, hijacking, secure cookies A07

Injection & Request Attacks

File Topic OWASP 2025
injection-prevention.md SQL, command, template, path traversal A05
ssrf.md Server-side request forgery, metadata endpoints A10
xxe.md XML external entities, DTD attacks A05
deserialization.md Untrusted data deserialization, pickle, yaml A08
open-redirect.md URL validation, OAuth redirect URI A01

Client-Side Security

File Topic OWASP 2025
csp.md Content Security Policy, nonces, hashes A05
cors.md Origin validation, credential handling A01
clickjacking.md X-Frame-Options, frame-ancestors A01

Application Logic

File Topic OWASP 2025
race-conditions.md TOCTOU, atomic check-and-act, database locks
dos-prevention.md Rate limiting, resource bounds, algorithmic complexity
file-upload.md Content validation, safe storage, malware scanning A04

AI/LLM Security

File Topic OWASP 2025
prompt-injection.md LLM security, data/instruction separation

Infrastructure

File Topic OWASP 2025
supply-chain.md SBOM, dependency scanning, signed packages A03
cryptography.md Strong algorithms, key management, TLS A04

OWASP Top 10:2025 Coverage

# Category Patterns
A01 Broken Access Control authorization, cors, clickjacking, open-redirect
A02 Security Misconfiguration secure-defaults
A03 Software Supply Chain Failures supply-chain
A04 Cryptographic Failures cryptography, file-upload
A05 Injection injection-prevention, xxe, csp
A06 Insecure Design secure-defaults
A07 Authentication Failures authentication, jwt-security, session-management
A08 Software or Data Integrity Failures deserialization
A09 Security Logging and Alerting Failures audit-logging
A10 Mishandling of Exceptional Conditions error-handling, ssrf

Sources

Usage

Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.

Reference in New Issue View Git Blame Copy Permalink