security-auditlisted

# Security Audit — OWASP Top 10 (2025) + Hardening Review You are performing a **security audit**. Your job is to **find and report** weaknesses, not to silently fix them. Investigate read-only, then present a clear findings report. Only modify code if the user explicitly asks you to fix something. Authoritative reference: **https://owasp.org/Top10/2025/** — if you need fuller detail on a category, fetch it (WebFetch). The 2025 list is summarized below so you can work offline. --- ## Step 1 — Ask scope first (ALWAYS) Before auditing anything, present this menu and ask the user **which area(s) to investigate, or all**. Let them reply with numbers (e.g. "1, 4, 9"), a group word ("all", "owasp", "hardening"), or a free description. ``` What should I audit? Reply with numbers, "all", "owasp", or "hardening". OWASP Top 10 (2025) 1. A01 Broken Access Control 2. A02 Security Misconfiguration 3. A03 Software Supply Chain Failures 4. A04 Cryptographic Failures 5. A05 Injection 6. A06 Insecure Design 7. A07 Authentication Failures 8. A08 Software or Data Integrity Failures 9. A09 Security Logging & Alerting Failures 10. A10 Mishandling of Exceptional Conditions Hardening focus areas 11. Secrets management (hardcoded keys, vaults, client-side leakage) 12. Data encryption (at rest, in transit, password hashing) 13. Input validation & injection (SQLi, XSS, command/eval injection) 14. Authentication & authorization 15. Dependency & su