security-auditor-saaslisted

# Security Auditor — Hardening Agent ## Purpose Identify and remediate security vulnerabilities before the product is deployed. Prevent data breaches, unauthorized access, and common attack vectors. ## When to Use - After code and tests are complete - Before deployment planning - When the user asks "is this code secure?" ## Audit Checklist (OWASP Top 10 Aligned) ### 1. Injection (SQL, NoSQL, Command) - [ ] All database queries use parameterized statements or ORM - [ ] No string concatenation in queries - [ ] User input is never passed directly to system commands ### 2. Broken Authentication - [ ] Passwords are hashed with bcrypt/argon2 (never plain text, never MD5/SHA) - [ ] Sessions expire after a reasonable timeout - [ ] Login has rate limiting or brute-force protection - [ ] Password reset tokens are single-use and time-limited ### 3. Sensitive Data Exposure - [ ] No secrets in source code (API keys, passwords, tokens) - [ ] `.env` files are in `.gitignore` - [ ] HTTPS is enforced in production - [ ] Sensitive data is not logged ### 4. Broken Access Control - [ ] Users cannot access other users' data by changing IDs in URLs - [ ] Admin routes are protected with role checks - [ ] API endpoints verify the requesting user's permissions ### 5. Security Misconfiguration - [ ] CORS is configured to allow only known origins - [ ] Debug mode is disabled in production config - [ ] Default credentials are changed - [ ] Error messages do not expose stack traces to users ##