Web Security Hardening

Security audit checklist for web applications. Run through each item when reviewing or building web apps.

Audit Workflow

1. Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
2. Review each checklist item below
3. For implementation details, see framework-specific references:
   • Node.js/Express: See references/nodejs.md
   • Python/Django/Flask: See references/python.md
4. For production deployments, see references/production-gcp.md for extended checklist covering:
   • GCP infrastructure (IAM, networking, secrets)
   • CI/CD pipeline security
   • Monitoring & incident response
5. Report findings with severity and remediation steps

Security Checklist

1. Rate Limiting

Risk: DoS attacks, brute force attempts, API abuse

Check for:

• Per-endpoint rate limits (stricter on auth endpoints)
• Rate limit headers in responses (X-RateLimit-*)
• Appropriate limits for different user tiers

2. Security & Authorization Headers

Risk: XSS, clickjacking, MIME sniffing, info leakage

Required headers:

• Strict-Transport-Security (HSTS)
• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY or SAMEORIGIN
• Content-Security-Policy
• Authorization header validation on protected routes

3. IP Block List (Public APIs)

Risk: Abuse from known bad actors, bot traffic

Check for:

• IP-based blocking mechanism
• Integration with threat intelligence feeds (optional)
• Logging of blocked requests

4. CORS Configuration

Risk: Unauthorized cross-origin requests, data theft

Check for:

• Explicit origin whitelist (not * in production)
• Appropriate methods and headers allowed
• Credentials handling if needed

5. Security Middleware

Risk: Common web vulnerabilities

Check for framework-appropriate middleware:

• Node.js: helmet
• Python: django-secure, flask-talisman
• Sets multiple security headers automatically

6. Input Validation

Risk: Injection attacks, data corruption, XSS

Check for:

• Frontend validation (UX, not security)
• Backend validation (required for security)
• Schema validation libraries (Zod, Joi, Pydantic, etc.)
• Sanitization of user input before storage/display

7. File Upload Limits

Risk: Storage exhaustion, malicious file uploads

Check for:

• Max file size limits
• Allowed file type restrictions (MIME + extension)
• File content validation (magic bytes)
• Secure storage location (outside webroot)

8. ORM for Database Access

Risk: SQL injection

Check for:

• Parameterized queries (never string concatenation)
• ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
• If raw SQL needed: prepared statements only

9. Password Hashing

Risk: Credential theft, rainbow table attacks

Check for:

• Strong algorithm: bcrypt, Argon2, or scrypt
• Appropriate cost factor (bcrypt rounds ≥10)
• No MD5, SHA1, or plain SHA256 for passwords
• No plaintext password storage or logging

Audit Report Format

## Security Audit: [App Name]

### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X

### Findings

#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]