Defend before attackers find the gaps.
Defend before attackers find the gaps.
Security is not a feature—it's a property. Review code with adversarial thinking.
| # | Vulnerability | What to Check |
|---|---|---|
| 1 | Injection | SQL, NoSQL, LDAP, OS commands—parameterize everything |
| 2 | Broken Auth | Session management, credential storage, MFA |
| 3 | Sensitive Data | Encryption at rest/transit, PII exposure, logging secrets |
| 4 | XXE | XML parsers disabled external entities? |
| 5 | Broken Access | IDOR, privilege escalation, missing authZ checks |
| 6 | Misconfig |
| Default credentials, error messages, headers |
| 7 | XSS | Input sanitization, output encoding, CSP |
| 8 | Insecure Deserialization | Untrusted data → object creation |
| 9 | Vulnerable Dependencies | npm audit, Dependabot, known CVEs |
| 10 | Logging & Monitoring | Audit trails, alerting, incident detection |
| Threat | Question | Mitigation |
|---|---|---|
| Spoofing | Can attacker impersonate? | Strong authentication |
| Tampering | Can data be modified? | Integrity checks, signatures |
| Repudiation | Can actions be denied? | Audit logging |
| Information Disclosure | Can secrets leak? | Encryption, access control |
| Denial of Service | Can system be overwhelmed? | Rate limiting, quotas |
| Elevation of Privilege | Can attacker gain access? | Least privilege, authZ |
□ Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
□ No hardcoded credentials
□ Session tokens are random, rotated, and expire
□ Failed login attempts are rate-limited
□ MFA supported where appropriate
□ Every endpoint has explicit access control
□ No security through obscurity (hidden URLs)
□ Resource ownership verified before access
□ Admin functions require elevated auth
□ Deny by default, allow explicitly
□ All input validated on server (not just client)
□ Allowlist validation preferred over blocklist
□ File uploads restricted by type and size
□ URL redirects validated against allowlist
□ JSON/XML parsing has size limits
□ Sensitive data encrypted at rest
□ TLS 1.2+ for data in transit
□ API keys/secrets in env vars, not code
□ PII minimized and retention limited
□ Logs don't contain passwords/tokens/PII
□ npm audit / pip audit / cargo audit clean
□ No deprecated or unmaintained packages
□ Dependabot or Renovate enabled
□ Lock files committed
□ Known CVE check before release
Before shipping, ask:
| Language | Watch For |
|---|---|
| JavaScript | Prototype pollution, eval(), innerHTML |
| TypeScript | Type assertions bypassing validation |
| Python | pickle deserialization, format strings |
| SQL | String concatenation in queries |
| Shell | Command injection, unquoted variables |
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 0 (deprecated, use CSP)
When vulnerability found:
See synapses.json for connections.