Security Audit

Identify vulnerabilities and implement secure coding practices.

When to Use

• Security review of code or architecture

• Implementing authentication/authorization

• Before deploying to production

• User asks about security best practices

• Handling sensitive data

OWASP Top 10 Checklist

• Injection - Parameterized queries, input sanitization

• Broken Auth - Strong sessions, MFA, secure password storage

• Sensitive Data - Encryption at rest and transit, minimal exposure

• XXE - Disable external entities, use JSON over XML

• Broken Access Control - RBAC, deny by default

• Misconfiguration - Secure defaults, remove debug info

• XSS - Output encoding, CSP headers

• Insecure Deserialization - Validate input, avoid native serialization

• Vulnerable Components - Dependency scanning, updates

• Logging - Audit logs, no sensitive data in logs

Security Headers

Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains

Auth Implementation

// Password hashing const hash = await bcrypt.hash(password, 12);

// JWT with short expiry const token = jwt.sign({ userId }, secret, { expiresIn: "15m" });

// Refresh token rotation const refreshToken = crypto.randomBytes(32).toString("hex");

Audit Output Format

Security Audit Report

Severity Levels: Critical | High | Medium | Low

Critical

• [Issue]: [Description] → [Fix]

High

• [Issue]: [Description] → [Fix]

Recommendations

• [Improvement suggestion]

Examples

Input: "Review auth implementation" Action: Check password storage, session management, token handling, report findings

Input: "Make this API secure" Action: Add input validation, auth checks, rate limiting, security headers