qa-securitylisted

# Security Audit ## Objective Identify security vulnerabilities based on OWASP Top 10. ## Instructions ### 1. Automated scan ```bash # npm dependency audit npm audit --audit-level=moderate # Secret search npx secretlint "**/*" # Static security analysis npx eslint --plugin security src/ ``` ### 2. OWASP Top 10 Checklist #### A01 - Broken Access Control - [ ] Authorization checks on every endpoint - [ ] No IDOR (direct access via predictable IDs) - [ ] CORS correctly configured - [ ] Principle of least privilege #### A02 - Cryptographic Failures - [ ] Sensitive data encrypted (at rest + in transit) - [ ] No secrets in code - [ ] Secure hash algorithms (bcrypt, argon2) - [ ] TLS/HTTPS enforced #### A03 - Injection - [ ] SQL: Parameterized queries / ORM - [ ] XSS: HTML output escaping - [ ] Command injection: No shell with user input - [ ] NoSQL: Query validation #### A04 - Insecure Design - [ ] Server-side validation (not just client) - [ ] Rate limiting on sensitive endpoints - [ ] Environment separation #### A05 - Security Misconfiguration - [ ] Security headers (CSP, X-Frame-Options) - [ ] No stack traces in production - [ ] Correct file permissions #### A06 - Vulnerable Components - [ ] `npm audit` with no critical vulnerabilities - [ ] Dependencies maintained and up to date #### A07 - Authentication Failures - [ ] Passwords hashed correctly - [ ] Protection against brute force - [ ] Secure sessions (httpOnly, secure, sameSite) #### A08 - Data Integrity Fail