ts-ddd-security-reviewlisted

# Security Review — TypeScript DDD ## Checklist **Injection (OWASP A03)** - All DB queries use parameterized queries or ORM methods — no string interpolation in SQL - Flag every raw query: `query()`, `$queryRaw()`, raw `createQueryBuilder().where()` - No `child_process.exec()` with user-controlled input — use `execFile()` with argument array **Auth & Authorization (OWASP A01, A07)** - JWT secrets from env vars, not hardcoded; `expiresIn` is set - Passwords hashed with `bcrypt`/`argon2` (min cost 10) — never `md5`, `sha1`, `sha256` alone - Every protected endpoint has an auth guard - Authorization checks at **use case level**, not only at the controller - Resource ownership verified: `userId` from JWT, not from request body - Can a non-admin call an admin use case by changing a request param? **Sensitive Data (OWASP A02)** - Passwords/secrets/PII not logged — check `console.log`, logger calls, error serializers - Response DTOs exclude `passwordHash`, `internalId`, `adminNotes` - DB connection strings and API keys in env vars; `.env` in `.gitignore` **Input Validation (OWASP A03, A04)** - Request bodies validated at presentation layer (`class-validator`, `zod`, `joi`) - Validation happens before reaching the application layer - Max length constraints on text fields; file uploads: type-checked, size-limited, outside webroot - UUID/ID format validated before hitting the repository **Security Misconfiguration (OWASP A05)** - CORS not `origin: '*'` in production - Helmet head