Security Audit

Common Patterns

• Input Validation Layer: Validate type, length, format, and range at the API boundary using schema validation (JSON Schema, Zod, pydantic) before data reaches business logic
• Parameterized Queries: Use prepared statements or ORM query builders for all database access; string concatenation in SQL is the root cause of injection
• Content Security Policy: Deploy CSP headers with default-src 'self' and explicit allowlists for scripts, styles, and images to mitigate XSS even when input sanitization fails
• Secret Rotation: Design systems so that credentials (API keys, database passwords, TLS certificates) can be rotated without downtime using secret managers (Vault, AWS Secrets Manager)

Pitfalls to Avoid

• Do not rely on client-side validation alone; attackers bypass the UI entirely and send crafted requests directly to the API
• Do not log sensitive data (passwords, tokens, PII) even at debug level; logs are often stored with weaker access controls than the primary data store
• Do not use MD5 or SHA-1 for password hashing; use bcrypt, scrypt, or Argon2id with appropriate cost factors
• Do not expose detailed error messages (stack traces, SQL errors, internal paths) to end users; return generic errors and log details server-side