security-reviewlisted

# Security Review Language-agnostic security review based on OWASP Secure by Design. ## Checklist (OWASP Top 10:2025) *Updated to OWASP Top 10:2025 (released January 2025). Previous 2021 edition had different groupings.* ### A01:2025 — Broken Access Control - [ ] Least privilege enforced (users get minimum permissions needed) - [ ] Authorization checked on EVERY request (not just the first) - [ ] CORS restrictive (not `*`) - [ ] Directory listing disabled - [ ] Rate limiting on API/controller access ### A02:2025 — Cryptographic Failures - [ ] Data encrypted at rest and in transit (TLS 1.2+) - [ ] No secrets in code, logs, or error messages - [ ] PII identified and classified in threat model - [ ] Passwords hashed with bcrypt/argon2 (never MD5/SHA1) - [ ] Cryptographic algorithms current (no deprecated ciphers) ### A03:2025 — Injection - [ ] All user input validated (type, length, range, format) - [ ] Parameterized queries for ALL data access (never string concatenation) - [ ] Input allowlisting preferred over denylisting - [ ] Output encoded based on context (HTML, JS, URL, CSS — covers XSS) - [ ] Content Security Policy configured ### A03b:2025 — Software Supply Chain Failures *(new in 2025)* - [ ] SBOM (Software Bill of Materials) maintained for critical dependencies - [ ] Build integrity verified (reproducible builds, signed artifacts) - [ ] Dependency provenance checked (not just version, but source authenticity) - [ ] Transitive dependencies audited (not just dire