🛡️ Security & Hardening Protocols
We are building a fortress, not a tent. Every line of code processing user input is a potential attack vector.
🚫 OWASP Top Risks Mitigation
1. IDOR (Insecure Direct Object References) - CRITICAL
Never trust IDs sent from the client blindly.
- •BAD:
db.order.cancel({ where: { id: inputId } })-> Attacker can cancel anyone's order. - •GOOD: ```typescript
db.order.cancel({
where: {
id: inputId,
userId: session.user.id // 🔒 Enforce ownership
}
})
code
2. Authentication & Authorization
- •Verify
sessionin EVERY Server Action. - •Don't rely on UI hiding. If a button is hidden, the API endpoint is still exposed.
3. Input Validation (Sanitization)
- •All inputs are "Guilty until proven innocent".
- •Use
Zodto strip unknown fields (.strict()). - •Prevent Negative Numbers in trades (
z.number().positive()).
4. Rate Limiting (Logic Layer)
- •Prevent "Spam Buying".
- •If implementing a Cron Job, ensure it cannot be triggered via public URL.
🕵️ Code Review Trigger
If the code involves Money Transfer, Profile Update, or Data Deletion, apply this skill immediately.