securing-applicationslisted

# Securing Applications ## Overview Security is a **gate, not a feature** — it blocks "done", it isn't an optional add-on. Built on **OWASP Top 10:2025** (current edition). Most breaches are boring: missing access checks, misconfig, leaked secrets, unpatched dependencies. Cover the basics relentlessly. **Core principle:** Never trust input, never trust the caller, never trust defaults. Verify at every boundary. **Announce when securing/reviewing:** "Using securing-applications: checking against OWASP Top 10:2025." ## When to Use - Building: auth, input handling, file upload, payments, admin features, anything touching user data. - Configuring: deploy, server, cloud, CORS, headers, env. - Reviewing: before shipping any feature; pre-launch; dependency updates. ## OWASP Top 10:2025 — risk → defense → how to check | # | Risk | Defense | Check | |---|---|---|---| | A01 | **Broken Access Control** (#1) | Authorize EVERY request server-side per resource & action; deny by default; never trust client role/ID; check ownership per object (**BOLA**); reject unexpected fields (**mass assignment**); validate outbound URLs (**SSRF** — allowlist, block link-local & cloud metadata `169.254.169.254`) | Access another user's object by ID across ≥2 users → 403; unauthenticated request → deny; POST an extra `isAdmin` field → ignored; SSRF to metadata IP → blocked | | A02 | **Security Misconfiguration** | Harden defaults; **full security headers** (CSP, HSTS, X-Content-Type-Options, X-Fram