security-checklist

# Security checklist Pre-deployment security audit organized around the OWASP Top 10:2025 categories (released late 2025, succeeding the 2021 edition). This is the baseline that prevents obvious disasters — not a substitute for a real penetration test or threat model. For verification depth beyond this checklist, see OWASP ASVS 5.0 (https://owasp.org/www-project-application-security-verification-standard/). For API-specific scope, see OWASP API Security Top 10:2023 (https://owasp.org/API-Security/editions/2023/en/0x00-header/). ## Step 0: Research the current security landscape (do this first) > Security knowledge ages on a 6-12 month half-life. The recipes below were last verified on 2026-05-08; they may be stale by the time you read this. Before applying any pattern in this skill, fan out research scoped to the OWASP Top 10:2025 categories being audited so the recipes are interpreted against current authoritative sources, not against this file's snapshot. ### Default-on, with a documented skip Run the 4-angle research below by default. Skip ONLY when ALL of these hold: - (a) You ran this same skill on this same primitive within the last 4 hours of the current session, - (b) That prior research surfaced no urgent advisories for the OWASP Top 10:2025 categories being audited, - (c) You log a one-line `Research skipped because <reason>` note in your response. "I think I know" / "moving fast" / "user wants this done quickly" / "already familiar" are NOT valid skip reason...