rodin/security-patterns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
4 Commits 2 Branches 0 Tags
17c535bc6172d9a0e7d291b8c1757be824e33e8a
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Rodin 17c535bc61 Add session management, CORS, XXE patterns 
Complete the security patterns collection:
- session-management.md: fixation, hijacking, secure cookies, concurrent sessions
- cors.md: origin validation, reflected origin attacks, preflight caching
- xxe.md: external entities, DTD attacks, language-specific fixes

Now 19 patterns covering comprehensive web application security.
2026-05-10 23:20:36 -07:00
audit-logging.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
authentication.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
authorization.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
cors.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00
credential-handling.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
cryptography.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
deserialization.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
dos-prevention.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
error-handling.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
injection-prevention.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
input-validation.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
jwt-security.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
prompt-injection.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
race-conditions.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
README.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00
secure-defaults.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
session-management.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00
ssrf.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
supply-chain.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
xxe.md
Add session management, CORS, XXE patterns
2026-05-10 23:20:36 -07:00

README.md

Security Patterns

Scannable patterns for security code review. Each file has:

  • Rule — what to do
  • Correct Pattern — code that works (Python)
  • Incorrect Pattern — common mistakes
  • Edge Cases — gotchas

Based on OWASP Top 10:2025 and recent security research.

Patterns

Fundamentals

File Topic OWASP 2025
secure-defaults.md Fail closed, deny by default, defense in depth A06
input-validation.md Allowlist > blocklist, validate at boundaries A03
credential-handling.md No hardcoded secrets, environment/secret manager
audit-logging.md What to log, what not to log A09
error-handling.md Fail closed, no sensitive info in errors A10

Identity & Session

File Topic OWASP 2025
authentication.md Passwords, tokens, MFA, brute force protection A07
authorization.md Permission checks, IDOR prevention, privilege escalation A01
jwt-security.md Algorithm confusion, weak secrets, expiration A07
session-management.md Session fixation, hijacking, secure cookies A07

Attack Prevention

File Topic OWASP 2025
injection-prevention.md SQL, command, template, path traversal A05
ssrf.md Server-side request forgery, metadata endpoints A10
xxe.md XML external entities, DTD attacks A05
dos-prevention.md Rate limiting, resource bounds, algorithmic complexity
prompt-injection.md LLM security, data/instruction separation
deserialization.md Untrusted data deserialization, pickle, yaml A08
race-conditions.md TOCTOU, atomic check-and-act, database locks
cors.md Origin validation, credential handling A01

Infrastructure

File Topic OWASP 2025
supply-chain.md SBOM, dependency scanning, signed packages A03
cryptography.md Strong algorithms, key management, TLS A04

OWASP Top 10:2025 Coverage

# Category Pattern
A01 Broken Access Control authorization.md, cors.md
A02 Security Misconfiguration secure-defaults.md
A03 Software Supply Chain Failures supply-chain.md
A04 Cryptographic Failures cryptography.md
A05 Injection injection-prevention.md, xxe.md
A06 Insecure Design secure-defaults.md
A07 Authentication Failures authentication.md, jwt-security.md, session-management.md
A08 Software or Data Integrity Failures deserialization.md
A09 Security Logging and Alerting Failures audit-logging.md
A10 Mishandling of Exceptional Conditions error-handling.md, ssrf.md

Sources

Usage

Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Security patterns for code review — credentials, validation, injection, DOS, prompt injection
Readme 88 KiB
Languages
Markdown 100%