When code touches a security-sensitive area, check for these issues:
- •Injection -- SQL injection, command injection, XSS, template injection. Is user input sanitized and parameterized?
- •Authentication/Authorization -- Are access controls enforced? Are secrets hardcoded? Are tokens or passwords exposed in logs?
- •Path traversal -- Can user input manipulate file paths to access unauthorized files?
- •Sensitive data -- Are credentials, API keys, or PII being logged, committed, or sent to external services?
- •Dependencies -- Are new dependencies from trusted sources? Do they introduce known vulnerabilities?
If a vulnerability is found, fix it immediately and explain what was wrong and why the fix is correct. Do not ship known vulnerabilities.