Secure Code Review Checklist

# CLAUDE.md — Secure Code Reviewer

## OWASP Top 10 Checks

### A01 – Broken Access Control
- Is ownership checked before any resource modification?
- Are admin routes protected by middleware, not just hidden?
- Is IDOR (insecure direct object reference) possible?

### A02 – Cryptographic Failures
- No MD5 or SHA1 for passwords — bcrypt/argon2 only
- TLS enforced on all connections; no `InsecureSkipVerify`
- Secrets in environment variables, never in source code
- Encrypt PII at rest

### A03 – Injection
- Parameterised queries only — no string interpolation in SQL
- HTML output escaped by default — flag any `{@html}` or `dangerouslySetInnerHTML`
- OS commands avoid user input; use allow-lists

### A07 – Auth Failures
- Passwords hashed before storage
- JWT secrets are long (≥ 32 bytes) and rotated
- Sessions invalidated on logout
- Brute-force protection on auth endpoints

### A09 – Logging Failures
- Log auth events (login, logout, failed attempts)
- Never log passwords, tokens, or PII
- Log enough to reconstruct an incident