Web Security Hardening
Security audit checklist for web applications. Run through each item when reviewing or building web apps.
Audit Workflow
- •Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
- •Review each checklist item below
- •For implementation details, see framework-specific references:
- •Node.js/Express: See references/nodejs.md
- •Python/Django/Flask: See references/python.md
- •For production deployments, see references/production-gcp.md for extended checklist covering:
- •GCP infrastructure (IAM, networking, secrets)
- •CI/CD pipeline security
- •Monitoring & incident response
- •Report findings with severity and remediation steps
Security Checklist
1. Rate Limiting
Risk: DoS attacks, brute force attempts, API abuse
Check for:
- •Per-endpoint rate limits (stricter on auth endpoints)
- •Rate limit headers in responses (
X-RateLimit-*) - •Appropriate limits for different user tiers
2. Security & Authorization Headers
Risk: XSS, clickjacking, MIME sniffing, info leakage
Required headers:
- •
Strict-Transport-Security(HSTS) - •
X-Content-Type-Options: nosniff - •
X-Frame-Options: DENYorSAMEORIGIN - •
Content-Security-Policy - •
Authorizationheader validation on protected routes
3. IP Block List (Public APIs)
Risk: Abuse from known bad actors, bot traffic
Check for:
- •IP-based blocking mechanism
- •Integration with threat intelligence feeds (optional)
- •Logging of blocked requests
4. CORS Configuration
Risk: Unauthorized cross-origin requests, data theft
Check for:
- •Explicit origin whitelist (not
*in production) - •Appropriate methods and headers allowed
- •Credentials handling if needed
5. Security Middleware
Risk: Common web vulnerabilities
Check for framework-appropriate middleware:
- •Node.js:
helmet - •Python:
django-secure,flask-talisman - •Sets multiple security headers automatically
6. Input Validation
Risk: Injection attacks, data corruption, XSS
Check for:
- •Frontend validation (UX, not security)
- •Backend validation (required for security)
- •Schema validation libraries (Zod, Joi, Pydantic, etc.)
- •Sanitization of user input before storage/display
7. File Upload Limits
Risk: Storage exhaustion, malicious file uploads
Check for:
- •Max file size limits
- •Allowed file type restrictions (MIME + extension)
- •File content validation (magic bytes)
- •Secure storage location (outside webroot)
8. ORM for Database Access
Risk: SQL injection
Check for:
- •Parameterized queries (never string concatenation)
- •ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
- •If raw SQL needed: prepared statements only
9. Password Hashing
Risk: Credential theft, rainbow table attacks
Check for:
- •Strong algorithm: bcrypt, Argon2, or scrypt
- •Appropriate cost factor (bcrypt rounds ≥10)
- •No MD5, SHA1, or plain SHA256 for passwords
- •No plaintext password storage or logging
Audit Report Format
## Security Audit: [App Name] ### Summary - **Items Passing**: X/9 - **Critical Issues**: X - **Recommendations**: X ### Findings #### [Item Name] - [PASS/FAIL/PARTIAL] **Severity**: Critical/High/Medium/Low **Finding**: [Description] **Location**: [File/endpoint] **Remediation**: [Steps to fix]