Security Audit
Identify vulnerabilities and implement secure coding practices.
When to Use
- Security review of code or architecture
- Implementing authentication/authorization
- Before deploying to production
- User asks about security best practices
- Handling sensitive data
OWASP Top 10 Checklist
- Injection - Parameterized queries, input sanitization
- Broken Auth - Strong sessions, MFA, secure password storage
- Sensitive Data - Encryption at rest and transit, minimal exposure
- XXE - Disable external entities, use JSON over XML
- Broken Access Control - RBAC, deny by default
- Misconfiguration - Secure defaults, remove debug info
- XSS - Output encoding, CSP headers
- Insecure Deserialization - Validate input, avoid native serialization
- Vulnerable Components - Dependency scanning, updates
- Logging - Audit logs, no sensitive data in logs
Security Headers
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Auth Implementation
// Password hashing
const hash = await bcrypt.hash(password, 12);
// JWT with short expiry
const token = jwt.sign({ userId }, secret, { expiresIn: "15m" });
// Refresh token rotation
const refreshToken = crypto.randomBytes(32).toString("hex");
Audit Output Format
## Security Audit Report
**Severity Levels:** Critical | High | Medium | Low
### Critical
- [Issue]: [Description] → [Fix]
### High
- [Issue]: [Description] → [Fix]
### Recommendations
- [Improvement suggestion]
Examples
Input: "Review auth implementation" Action: Check password storage, session management, token handling, report findings
Input: "Make this API secure" Action: Add input validation, auth checks, rate limiting, security headers