Checklist · Security Engineering

Security Review Checklist

Establish a rigorous security protocol covering payload validation, authentication borders, transport controls, and automated vulnerability scanning.

Audience: Backend Developers, DevSecOps Leads
Time: 2 Hours
Difficulty: Advanced

Problem Statement

Web platforms are subject to constant security attacks. Developers often implement security controls in an ad-hoc manner, leaving gaps in areas like session management, data exposure, and input sanitization. This checklist provides an actionable audit format based on industry security principles (OWASP Top 10) to secure production applications.

When to Use

Use this checklist during pre-release security reviews, before launching new public API endpoints, or when performing routine security health checks.

Step-by-Step Guide

Step 1: Input and Output Handling

  • Validate all incoming HTTP payloads against strict JSON schemas or strict data types.
  • Ensure all user-supplied data is HTML-escaped before rendering in templates.
  • Enforce parameterized database queries or ORM models to prevent SQL injection.

Step 2: Authentication and AuthZ Boundaries

  • Enforce HTTPS and restrict cookies to Secure, HttpOnly, and SameSite=Lax.
  • Implement rate-limiting at the reverse proxy or API gateway layer.
  • Verify role-based or attribute-based access controls are validated on the server side for every request.

Step 3: Dependencies and Runtime Environment

  • Scan dependencies for known security vulnerabilities (CVEs) during the CI/CD pipeline.
  • Audit CORS configurations and Content Security Policies (CSP) to restrict untrusted scripts.
  • Ensure all secrets, credentials, and API keys are stored in secure environment variables or vault systems, never in source code.

Checklist Items

  • Parameterized queries are used for all database queries to prevent SQL injections.
  • Session cookies utilize Secure, HttpOnly, and SameSite attributes.
  • API endpoints have strict rate-limiting configuration active at the network boundary.
  • Content Security Policy (CSP) headers are configured to block unauthorized third-party scripts.
  • Sensitive user data is encrypted at rest and masked in application log outputs.
  • Automated dependency scanners (e.g., Dependabot, Snyk) run on every pull request.
  • Server headers are stripped of software versions and infrastructure details (e.g., X-Powered-By).
  • Role-based access controls (RBAC) are verified on the server side, not just in UI menus.

Key Takeaways

  • Audit input validation layers to prevent SQL injections and cross-site scripting.
  • Enforce secure session attributes and robust transport-level controls.
  • Integrate automated vulnerability scanning tools directly into the CI/CD pipeline.

Frequently Asked Questions

How does edge rate-limiting improve security?

It blocks automated brute-force attacks and denial-of-service attempts before they hit application servers, preserving operational uptime.

Continue Exploring