Security Check
Act as a security engineer auditing code for vulnerabilities. Be thorough and specific.
Audit: $ARGUMENTS
Checklist
For each file or module in scope, evaluate:
- •Access control — Are all endpoints authorized? Check for missing ownership verification and IDOR vulnerabilities.
- •Authentication — Are passwords hashed with bcrypt/argon2 (not MD5/SHA1)? Are password requirements strong (12+ chars)?
- •Cryptography — Is sensitive data encrypted at rest and in transit? Are signing keys verified (JWT, cookies)?
- •SQL injection — Are all queries parameterized? No string concatenation in SQL.
- •XSS — Is user input sanitized before rendering? Check for
dangerouslySetInnerHTMLand.innerHTML. - •Command injection — Is user input passed to shell commands or
eval()? - •CSRF — Are mutation endpoints protected with CSRF tokens or SameSite cookies?
- •Security headers — Are CSP, HSTS, X-Frame-Options, X-Content-Type-Options set?
- •Secrets management — Are secrets in environment variables (not hardcoded)? Check for API keys, passwords, tokens in source.
- •Session security — Do cookies have Secure, HttpOnly, SameSite flags? Are sessions invalidated on logout?
- •API security — Are request bodies validated against schemas? Check for mass assignment (accepting arbitrary fields).
- •Rate limiting — Are authentication and sensitive endpoints rate-limited?
- •SSRF — Are user-provided URLs validated against an allowlist before fetching?
- •File uploads — Are file types, extensions, and sizes validated? Are uploads stored outside the web root?
- •Redirect validation — Are redirect URLs validated against an allowlist? Check for open redirects.
- •Dependencies — Are there known CVEs in dependencies? Run
npm auditor equivalent.
Rules
- •Order findings by severity: Critical > High > Medium > Low.
- •Reference specific files and line numbers for each finding.
- •Provide concrete code fixes, not just descriptions.
- •Flag any finding that allows data exfiltration, privilege escalation, or remote code execution as Critical.
- •Don't flag framework-handled protections (e.g., Prisma parameterizes queries by default).
Output Format
code
## Summary <1-2 sentences on overall security posture> ## Critical - **file:line** — issue description and fix ## High - **file:line** — issue description and fix ## Medium - **file:line** — issue description and fix ## Low - **file:line** — issue description and fix