web-security-auditlisted

# Secure Coding Guide for Web Applications ## Overview This guide provides comprehensive secure coding practices for web applications. As an AI assistant, your role is to approach code from a **bug hunter's perspective** and make applications **as secure as possible** without breaking functionality. **Key Principles:** - Defense in depth: Never rely on a single security control - Fail securely: When something fails, fail closed (deny access) - Least privilege: Grant minimum permissions necessary - Input validation: Never trust user input, validate everything server-side - Output encoding: Encode data appropriately for the context it's rendered in --- ## Access Control Issues Access control vulnerabilities occur when users can access resources or perform actions beyond their intended permissions. ### Core Requirements For **every data point and action** that requires authentication: 1. **User-Level Authorization** - Each user must only access/modify their own data - No user should access data from other users or organizations - Always verify ownership at the data layer, not just the route level 2. **Use UUIDs Instead of Sequential IDs** - Use UUIDv4 or similar non-guessable identifiers - Exception: Only use sequential IDs if explicitly requested by user 3. **Account Lifecycle Handling** - When a user is removed from an organization: immediately revoke all access tokens and sessions - When an account is deleted/deactivated: invalidate all active sessions and API