A security checklist mapped to the risks that actually get exploited
Most breaches trace back to a short list of recurring mistakes: broken access control, injection, weak transport, leaked secrets, and outdated dependencies. This builder turns the OWASP Top 10 and adjacent best practice into a concrete, checkable list tailored to whether you are auditing a web app, an API, or both.
How it works
You choose the application type and toggle the focus areas relevant to your system. The tool assembles a Markdown checklist of verifiable items grouped by category — authentication and session management, access control, input validation and injection, XSS and output encoding, CSRF, transport security and TLS, secrets management, security headers, logging, and dependency/CVE hygiene. Each item is phrased as something you can confirm or mark as a finding, so the output doubles as your audit worksheet.
What each category checks
Authentication and session management — password hashing algorithm and work factor, account lockout thresholds, multi-factor availability, session-cookie flags (HttpOnly, Secure, SameSite), session regeneration on login, and idle/absolute timeout enforcement.
Access control — every endpoint enforces authorization on the server, not just by hiding UI elements. Role checks are performed on each request, not once at login. Horizontal privilege escalation (accessing another user’s resource by changing an ID in the URL) is tested explicitly.
Injection — SQL, NoSQL, shell, and template injection. The audit item asks you to confirm that every query to a database is parameterized or uses an ORM’s safe query builder, and that shell commands never concatenate user input.
Transport and TLS — HTTPS enforced everywhere with HSTS, TLS 1.2 or newer, certificates valid and auto-renewing, no mixed-content resources over HTTP on HTTPS pages.
Secrets management — no API keys, credentials, or tokens in source control, environment variables in .env.production are not committed, and secrets in logs are masked.
Dependency hygiene — npm audit, pip-audit, or Snyk runs in CI; builds fail on critical CVEs; direct and transitive dependencies are pinned or range-bounded.
Common findings this checklist surfaces
- An admin endpoint missing a role check because the developer assumed only admins know the URL.
- A password reset flow that leaks whether an email is registered (user enumeration).
- A third-party script tag in the HTML that bypasses the Content-Security-Policy.
- An error page that echoes the stack trace including a connection string.
- A dependency with a known RCE CVE that was never updated because no CI scanner was wired in.
Tips for using the output
- Treat every database query as a potential injection point: confirm it is parameterized, e.g.
WHERE id = $1, never built with string concatenation. - Verify access control on the server for every endpoint — never rely on the UI hiding a button to enforce authorization.
- Run a dependency scanner (e.g.
npm audit, Snyk) in CI and fail the build on critical CVEs. - Confirm secrets live in environment variables or a vault, never in source control or client-side bundles.
- Work through the checklist section by section and mark each item as confirmed, finding, or not-applicable. The Markdown format lets you paste it directly into a GitHub issue or a design-review document.