rodin/security-patterns
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
3 Commits 2 Branches 0 Tags
5b9f30e663a8ce916e09cca1e538a004f7018889
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Rodin 5b9f30e663 Add SSRF, race conditions, JWT security patterns 
High-priority patterns from completeness review:
- ssrf.md: metadata endpoints, DNS rebinding, webhook validation
- race-conditions.md: TOCTOU, atomic operations, file/db races
- jwt-security.md: algorithm confusion, kid injection, refresh tokens

Now 16 patterns covering comprehensive web application security.
2026-05-10 23:17:54 -07:00
audit-logging.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
authentication.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
authorization.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
credential-handling.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
cryptography.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
deserialization.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
dos-prevention.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
error-handling.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00
injection-prevention.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
input-validation.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
jwt-security.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
prompt-injection.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
race-conditions.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
README.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
secure-defaults.md
Initial commit: 9 security patterns for code review
2026-05-10 22:45:03 -07:00
ssrf.md
Add SSRF, race conditions, JWT security patterns
2026-05-10 23:17:54 -07:00
supply-chain.md
Add supply-chain, deserialization, cryptography, error-handling patterns
2026-05-10 22:48:39 -07:00

README.md

Security Patterns

Scannable patterns for security code review. Each file has:

  • Rule — what to do
  • Correct Pattern — code that works (Python)
  • Incorrect Pattern — common mistakes
  • Edge Cases — gotchas

Based on OWASP Top 10:2025 and recent security research.

Patterns

Fundamentals

File Topic OWASP 2025
secure-defaults.md Fail closed, deny by default, defense in depth A06
input-validation.md Allowlist > blocklist, validate at boundaries A03
credential-handling.md No hardcoded secrets, environment/secret manager
audit-logging.md What to log, what not to log A09
error-handling.md Fail closed, no sensitive info in errors A10

Identity

File Topic OWASP 2025
authentication.md Passwords, tokens, MFA, brute force protection A07
authorization.md Permission checks, IDOR prevention, privilege escalation A01
jwt-security.md Algorithm confusion, weak secrets, expiration A07

Attack Prevention

File Topic OWASP 2025
injection-prevention.md SQL, command, template, path traversal A05
ssrf.md Server-side request forgery, metadata endpoints A10
dos-prevention.md Rate limiting, resource bounds, algorithmic complexity
prompt-injection.md LLM security, data/instruction separation
deserialization.md Untrusted data deserialization, pickle, yaml A08
race-conditions.md TOCTOU, atomic check-and-act, database locks

Infrastructure

File Topic OWASP 2025
supply-chain.md SBOM, dependency scanning, signed packages A03
cryptography.md Strong algorithms, key management, TLS A04

OWASP Top 10:2025 Coverage

# Category Pattern
A01 Broken Access Control authorization.md
A02 Security Misconfiguration secure-defaults.md
A03 Software Supply Chain Failures supply-chain.md
A04 Cryptographic Failures cryptography.md
A05 Injection injection-prevention.md
A06 Insecure Design secure-defaults.md
A07 Authentication Failures authentication.md, jwt-security.md
A08 Software or Data Integrity Failures deserialization.md
A09 Security Logging and Alerting Failures audit-logging.md
A10 Mishandling of Exceptional Conditions error-handling.md, ssrf.md

Sources

Usage

Reference these patterns when building or reviewing systems. Code examples are in Python for universal model comprehension; concepts apply to any language.

Reference in New Issue View Git Blame Copy Permalink
S
Description
Security patterns for code review — credentials, validation, injection, DOS, prompt injection
Readme 88 KiB
Languages
Markdown 100%