security-fundamentalslisted

# Security Fundamentals Review > "Security is not a feature. It's a foundation. Build on sand, and the house falls." ## When to Apply Activate this skill when reviewing: - Authentication/login flows - Authorization checks - User input handling - Database queries - File uploads - API endpoints - Data exposure in responses --- ## Review Checklist ### Input Validation (NEVER Trust the Client) - [ ] **All inputs validated**: Is every user input checked before use? - [ ] **Server-side validation**: Is validation done on the server, not just client? - [ ] **Type checking**: Are expected types enforced? - [ ] **Length limits**: Are string lengths bounded? - [ ] **Whitelist over blacklist**: Are allowed values explicitly defined? ### Authentication - [ ] **Password hashing**: Are passwords hashed (bcrypt, argon2), not encrypted? - [ ] **No plaintext secrets**: Are secrets in env vars, not code? - [ ] **Token expiry**: Do JWTs/sessions have reasonable expiration? - [ ] **Secure transmission**: Is HTTPS enforced? ### Authorization - [ ] **Ownership checks**: Can users only access THEIR data? - [ ] **Role verification**: Are admin routes protected by role checks? - [ ] **No client-side auth**: Is authorization enforced server-side? ### Data Exposure - [ ] **Minimal response**: Does the API return only necessary fields? - [ ] **No sensitive data in URLs**: Are tokens/IDs not in query strings? - [ ] **No sensitive data in logs**: Are passwords/tokens excluded from logs? ---