Problem Statement
Web platforms are subject to constant security attacks. Developers often implement security controls in an ad-hoc manner, leaving gaps in areas like session management, data exposure, and input sanitization. This checklist provides an actionable audit format based on industry security principles (OWASP Top 10) to secure production applications.
When to Use
Use this checklist during pre-release security reviews, before launching new public API endpoints, or when performing routine security health checks.
Step-by-Step Guide
Step 1: Input and Output Handling
- Validate all incoming HTTP payloads against strict JSON schemas or strict data types.
- Ensure all user-supplied data is HTML-escaped before rendering in templates.
- Enforce parameterized database queries or ORM models to prevent SQL injection.
Step 2: Authentication and AuthZ Boundaries
- Enforce HTTPS and restrict cookies to Secure, HttpOnly, and SameSite=Lax.
- Implement rate-limiting at the reverse proxy or API gateway layer.
- Verify role-based or attribute-based access controls are validated on the server side for every request.
Step 3: Dependencies and Runtime Environment
- Scan dependencies for known security vulnerabilities (CVEs) during the CI/CD pipeline.
- Audit CORS configurations and Content Security Policies (CSP) to restrict untrusted scripts.
- Ensure all secrets, credentials, and API keys are stored in secure environment variables or vault systems, never in source code.
Checklist Items
- Parameterized queries are used for all database queries to prevent SQL injections.
- Session cookies utilize Secure, HttpOnly, and SameSite attributes.
- API endpoints have strict rate-limiting configuration active at the network boundary.
- Content Security Policy (CSP) headers are configured to block unauthorized third-party scripts.
- Sensitive user data is encrypted at rest and masked in application log outputs.
- Automated dependency scanners (e.g., Dependabot, Snyk) run on every pull request.
- Server headers are stripped of software versions and infrastructure details (e.g., X-Powered-By).
- Role-based access controls (RBAC) are verified on the server side, not just in UI menus.