security-checklistlisted

# Security Checklist ## Purpose This is a reference checklist, not an agent. Any agent — code-simplifier, test-writer, verify-app, or the main session — can consult this when they encounter security-relevant code. The dedicated security-reviewer agent does deeper analysis; this checklist catches the obvious issues. ## Quick Scan (30 seconds) Before committing any code that handles user input, authentication, or external data, check these five things: 1. **No hardcoded secrets** — grep for API keys, passwords, tokens, connection strings 2. **Input is validated** — user input goes through validation before use 3. **Queries are parameterized** — no string concatenation in SQL/NoSQL queries 4. **Output is escaped** — user content is not rendered as raw HTML 5. **Auth is checked** — protected endpoints have authentication middleware If any fail, stop and fix before committing. ## OWASP Top 10 Reference ### A01: Broken Access Control - Every endpoint checks authentication AND authorization - Users cannot access other users' resources by changing IDs in URLs - File paths from user input are sanitized (no path traversal) - CORS is configured to allow only expected origins - Directory listing is disabled on static file servers ### A02: Cryptographic Failures - Passwords hashed with bcrypt, scrypt, or argon2 — never MD5/SHA for passwords - Sensitive data encrypted at rest (PII, payment info) - HTTPS enforced in production — no mixed content - API keys and secrets stored in e