Code Security Guidelines
Comprehensive security rules for writing secure code across multiple languages and frameworks. Covers OWASP Top 10 vulnerabilities, infrastructure security, and coding best practices.
How It Works
- •When you write or review code, reference these security guidelines
- •Each rule includes incorrect (vulnerable) and correct (secure) code examples
- •Rules are organized by vulnerability category and impact level
Categories
Critical Impact
- •SQL Injection - Use parameterized queries, never concatenate user input
- •Command Injection - Avoid shell commands with user input, use safe APIs
- •XSS - Escape output, use framework protections
- •XXE - Disable external entities in XML parsers
- •Path Traversal - Validate and sanitize file paths
- •Insecure Deserialization - Never deserialize untrusted data
- •Code Injection - Never eval() user input
- •Hardcoded Secrets - Use environment variables or secret managers
- •Memory Safety - Prevent buffer overflows, use-after-free (C/C++)
High Impact
- •Insecure Crypto - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
- •Insecure Transport - Use HTTPS, verify certificates
- •SSRF - Validate URLs, use allowlists
- •JWT Issues - Always verify signatures
- •CSRF - Use CSRF tokens on state-changing requests
- •Prototype Pollution - Validate object keys in JavaScript
Infrastructure
- •Terraform AWS/Azure/GCP - Encryption, least privilege, no public access
- •Kubernetes - No privileged containers, run as non-root
- •Docker - Don't run as root, pin image versions
- •GitHub Actions - Avoid script injection, pin action versions
Usage
Reference the rules in rules/ directory for detailed examples:
- •
rules/sql-injection.md- SQL injection prevention - •
rules/xss.md- Cross-site scripting prevention - •
rules/command-injection.md- Command injection prevention - •
rules/_sections.md- Full index of all 28 rule categories
Quick Reference
| Vulnerability | Key Prevention |
|---|---|
| SQL Injection | Parameterized queries |
| XSS | Output encoding |
| Command Injection | Avoid shell, use APIs |
| Path Traversal | Validate paths |
| SSRF | URL allowlists |
| Secrets | Environment variables |
| Crypto | SHA-256, AES-256 |