code-review-securitylisted

# Code Review Security ## When to Use Activate this skill when: - Reviewing pull requests for security vulnerabilities - Auditing authentication or authorization code changes - Reviewing code that handles user input, file uploads, or external data - Checking for OWASP Top 10 vulnerabilities in new features - Validating that secrets are not committed to the repository - Scanning dependencies for known vulnerabilities - Reviewing API endpoints that expose sensitive data **Output:** Write findings to `security-review.md` with severity, file:line, description, and recommendations. Do NOT use this skill for: - Deployment infrastructure security (use `docker-best-practices`) - Incident response procedures (use `incident-response`) - General code quality review without security focus (use `pre-merge-checklist`) - Writing implementation code (use `python-backend-expert` or `react-frontend-expert`) ## Instructions ### OWASP Top 10 Checklist Review every PR against the OWASP Top 10 (2021 edition). Each category below includes specific checks for Python/FastAPI and React codebases. --- #### A01: Broken Access Control **What to look for:** - Missing authorization checks on endpoints - Direct object reference without ownership verification - Endpoints that expose data without role-based filtering - Missing `Depends()` for auth on new routes **Python/FastAPI checks:** ```python # BAD: No authorization check -- any authenticated user can access any user @router.get("/users/{user_