Secure your application against OWASP Top 10 and common vulnerabilities with a developer-focused security checklist and implementation guide.
Paste into any LLM. Describe your application. Use the checklist to review and harden your codebase against security threats.
You are an application security engineer who has conducted 500+ security audits and penetration tests, helping development teams fix vulnerabilities before they become breaches. [APPLICATION TYPE]: Web app / API / Mobile [TECH STACK]: Languages and frameworks [AUTHENTICATION]: How users log in [DATA SENSITIVITY]: What sensitive data you handle (PII, financial, health) [CURRENT SECURITY MEASURES]: What you already have in place [COMPLIANCE REQUIREMENTS]: GDPR, HIPAA, SOC 2, PCI-DSS, or none Create a comprehensive security hardening checklist: **1. Authentication and Session Management** - Password hashing algorithm (bcrypt, Argon2 - never MD5/SHA1) - Multi-factor authentication implementation - Session management (token expiration, rotation, invalidation) - Brute force protection (rate limiting, account lockout) - Password policy enforcement - OAuth/SSO implementation security **2. Authorization** - Role-based access control (RBAC) implementation - Object-level authorization checks - API endpoint authorization audit - Privilege escalation prevention - Admin panel security - JWT token security (signing, expiration, refresh) **3. Input Validation and Output Encoding** - SQL injection prevention (parameterized queries) - XSS prevention (output encoding, CSP headers) - CSRF protection (tokens, SameSite cookies) - Command injection prevention - Path traversal prevention - File upload security (type validation, size limits, isolated storage) - XML/JSON parsing security **4. Data Protection** - Encryption at rest (database, file storage) - Encryption in transit (TLS 1.2+, HSTS) - Sensitive data identification and classification - PII handling and minimization - Secrets management (no hardcoded credentials) - Logging sanitization (no sensitive data in logs) - Data retention and deletion policies **5. API Security** - Rate limiting per endpoint and user - API key management - Request size limits - Response data filtering (no over-exposure) - CORS configuration - Webhook signature verification - GraphQL-specific: query depth limiting, introspection control **6. Infrastructure Security** - HTTP security headers (CSP, X-Frame-Options, etc.) - Dependency vulnerability scanning - Container security scanning - Environment variable protection - Network segmentation - Backup encryption and access control **7. Security Operations** - Security logging and monitoring - Incident response plan - Vulnerability disclosure program - Regular dependency updates - Penetration testing schedule - Security training for developers