AIStorageDepot
← Prompt library

Security Review Checklist

Rule · Code Review · #security #review #checklist

Security review checklist

Run through this before merging anything that touches auth, user input, secrets, or money. Ask your AI to review a diff against it: "review this change against my security checklist."

Input & output

  • Every user-supplied value is validated server-side (type, length, range) — client checks are UX, not security.
  • SQL only through parameterized queries / the ORM. String-built queries are an automatic fail.
  • Output into HTML is escaped by the framework — no dangerouslySetInnerHTML / innerHTML with user data.
  • File uploads: size-capped, type-checked by content (not extension), stored outside the web root.

AuthN & authZ

  • Every route/endpoint checks authorization ON THE SERVER — object-level too (can THIS user touch THIS row?).
  • No auth decisions from client-supplied ids alone (user id, org id, role) — derive from the session.
  • Session cookies: httpOnly, secure, sameSite. Tokens hashed at rest.

Secrets & data

  • No secrets in code, logs, error messages, or URLs. Environment/config only.
  • PII is the minimum needed, and it never lands in logs or analytics.
  • Errors shown to users are generic; details go to server logs.

The two questions that catch the most

  • What happens if this input is hostile — 10 MB long, negative, someone else's id?
  • What happens if this request is replayed, or sent twice concurrently?

This is one of dozens of free prompts in the AIStorageDepot library. Sign up free to save them, version them, and pull them straight into Claude, Cursor, or VS Code over MCP.