Security Audit
Identify vulnerabilities and implement secure coding practices.
When to Use
-
Security review of code or architecture
-
Implementing authentication/authorization
-
Before deploying to production
-
User asks about security best practices
-
Handling sensitive data
OWASP Top 10 Checklist
-
Injection - Parameterized queries, input sanitization
-
Broken Auth - Strong sessions, MFA, secure password storage
-
Sensitive Data - Encryption at rest and transit, minimal exposure
-
XXE - Disable external entities, use JSON over XML
-
Broken Access Control - RBAC, deny by default
-
Misconfiguration - Secure defaults, remove debug info
-
XSS - Output encoding, CSP headers
-
Insecure Deserialization - Validate input, avoid native serialization
-
Vulnerable Components - Dependency scanning, updates
-
Logging - Audit logs, no sensitive data in logs
Security Headers
Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY Strict-Transport-Security: max-age=31536000; includeSubDomains
Auth Implementation
// Password hashing const hash = await bcrypt.hash(password, 12);
// JWT with short expiry const token = jwt.sign({ userId }, secret, { expiresIn: "15m" });
// Refresh token rotation const refreshToken = crypto.randomBytes(32).toString("hex");
Audit Output Format
Security Audit Report
Severity Levels: Critical | High | Medium | Low
Critical
- [Issue]: [Description] → [Fix]
High
- [Issue]: [Description] → [Fix]
Recommendations
- [Improvement suggestion]
Examples
Input: "Review auth implementation" Action: Check password storage, session management, token handling, report findings
Input: "Make this API secure" Action: Add input validation, auth checks, rate limiting, security headers