OWASP security guidelines and best practices for developing secure applications. Use this when implementing authentication, authorization, data validation, encryption, or security-sensitive features.
This skill provides mandatory security practices for backend development, heavily inspired by the OWASP Top 10 and recent security hardening efforts in this project. Apply these rules whenever building or refactoring auth flows, API endpoints, or database interactions.
bcrypt (with a cost of 12 or higher) or argon2id. Do not use MD5 or SHA for passwords.invalid email or password). Execute dummy hash comparisons (constant-time operations) for invalid users to prevent timing attacks.When issuing or validating JWTs:
exp (Expiration Time): Ensure tokens are short-lived.iss (Issuer): Verify the token came from your trusted authorization server.aud (Audience): Ensure the token is intended for this specific API.jti (JWT ID): Issue unique IDs to track individual tokens and facilitate blocklisting.RS256 or ES256. Do not allow none algorithm.ent) or parameterized queries. Never concatenate strings into raw SQL queries.Before finalizing any new feature, verify:
func Login(email, password string) error {
user, err := repo.FindByEmail(email)
if err != nil {
domain.CompareDummyPassword(password) // Thwart timing attacks
return errors.New("invalid credentials")
}
if !user.CheckPassword(password) {
return errors.New("invalid credentials")
}
return nil
}
func Login(email, password string) error {
user, err := repo.FindByEmail(email)
if err != nil {
return errors.New("user not found") // EXPOSES VALIDITY OF EMAIL
}
// ...
}