creator/claudekit
1
0
Fork 0
mirror of https://github.com/duthaho/claudekit.git synced 2026-06-10 12:14:57 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
44a3a2835d700d2a3945e63b14e09eea072052c7
claudekit/skills/owasp/templates/security-checklist.md
T
duthaho d1a6d2a2bc feat: improved the Claude Kit as a plugin
2026-04-19 14:10:38 +07:00

3.4 KiB
Raw Blame History

Security Code Review Checklist

Project: _______________ Reviewer: _______________ Date: _______________ Scope: _______________

Authentication and Session Management

  • Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
  • Session tokens are cryptographically random
  • Session cookies use Secure, HttpOnly, SameSite flags
  • Session timeout is enforced (idle and absolute)
  • Failed login attempts are rate-limited
  • MFA is available for sensitive accounts
  • Password reset tokens expire and are single-use

Authorization and Access Control

  • Access denied by default (allowlist approach)
  • Server-side authorization on every request
  • Resource ownership verified before access
  • Role/permission checks cannot be bypassed via direct URL
  • Admin endpoints have separate authentication
  • CORS policy restricts allowed origins

Input Validation

  • All user input validated server-side
  • Parameterized queries used for all database access
  • No string concatenation in SQL/commands
  • File uploads validated (type, size, content)
  • Path traversal prevented on file operations
  • JSON/XML parsers configured against XXE

Output Encoding

  • HTML output properly escaped (XSS prevention)
  • Content-Type headers set correctly on all responses
  • API responses do not leak stack traces in production
  • Error messages do not reveal system internals
  • Sensitive data excluded from logs

Cryptography

  • TLS 1.2+ enforced for all connections
  • Sensitive data encrypted at rest
  • No hardcoded secrets, keys, or passwords in source
  • Secrets loaded from environment variables or vault
  • Strong algorithms used (AES-256, RSA-2048+, SHA-256+)
  • No custom cryptographic implementations

Security Headers

  • Content-Security-Policy configured
  • Strict-Transport-Security enabled
  • X-Frame-Options set to DENY
  • X-Content-Type-Options set to nosniff
  • Referrer-Policy configured
  • Permissions-Policy restricts unused features

Dependencies

  • No known vulnerabilities (npm audit / pip audit clean)
  • Unused dependencies removed
  • Dependencies pinned to specific versions
  • Lock file committed and up to date

Logging and Monitoring

  • Authentication events logged (success and failure)
  • Authorization failures logged
  • Sensitive data not written to logs
  • Log injection prevented (user input sanitized in logs)
  • Alerts configured for suspicious patterns

API Security

  • Rate limiting on all public endpoints
  • Request size limits configured
  • API keys/tokens not exposed in URLs
  • Pagination enforced on list endpoints
  • HTTPS required (HTTP redirects or blocks)

Infrastructure

  • Debug mode disabled in production
  • Default credentials changed
  • Unnecessary ports/services disabled
  • Container runs as non-root user
  • Environment variables not logged at startup

Summary

Category Pass Fail N/A
Authentication
Authorization
Input Validation
Output Encoding
Cryptography
Security Headers
Dependencies
Logging
API Security
Infrastructure

Overall Assessment: [ ] Pass / [ ] Conditional Pass / [ ] Fail

Notes:

Follow-up Actions:

Reference in New Issue View Git Blame Copy Permalink