secure-code-guardianlisted

# Secure Code Guardian ## Core Workflow 1. **Threat model** — Identify attack surface and threats 2. **Design** — Plan security controls 3. **Implement** — Write secure code with defense in depth; see code examples below 4. **Validate** — Test security controls with explicit checkpoints (see below) 5. **Document** — Record security decisions ### Validation Checkpoints After each implementation step, verify: - **Authentication**: Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence). - **Authorization**: Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users. - **Input handling**: Confirm SQL injection payloads (`' OR 1=1--`) are rejected; confirm XSS payloads (`<script>alert(1)</script>`) are escaped or rejected. - **Headers/CORS**: Validate with a security scanner (e.g., `curl -I`, Mozilla Observatory) that security headers are present and CORS origin allowlist is correct. ## Reference Guide Load detailed guidance based on context: | Topic | Reference | Load When | |-------|-----------|-----------| | OWASP | `references/owasp-prevention.md` | OWASP Top 10 patterns | | Authentication | `references/authentication.md` | Password hashing, JWT | | Input Validation | `references/input-validation.md` | Zod, SQL injection | | XSS/CSRF | `references/xss-csrf.md` | XSS prevention, CSRF | | H