OWASP Top 10 Security Guide

Perform a comprehensive OWASP Top 10 security audit and implement security hardening measures for the following application:

Application Details

Application Type: [Web app / API / Mobile backend / Microservice / Full-stack]
Tech Stack: [e.g., Next.js + tRPC / Express + PostgreSQL / Django + React]
Authentication Method: [JWT / Session-based / OAuth / API Keys / None currently]
Database: [PostgreSQL / MySQL / MongoDB / Supabase / Firebase]
Hosting/Deployment: [Vercel / AWS / GCP / Azure / Self-hosted]
User Roles: [Admin, User, Guest / Custom roles / No roles currently]

Code to Audit

Provide the codebase location or key files to audit:

Authentication/Authorization Code: [File paths or code snippets]
API Routes/Endpoints: [File paths or code snippets]
Database Queries: [File paths or code snippets]
User Input Handling: [File paths or code snippets]
Configuration Files: [Environment, middleware, security headers]

Security Requirements

1. Broken Access Control

Current State: [Describe current access control implementation / None]
Required Protections:
- Implement role-based access control (RBAC)
- Protect admin routes from unauthorized access
- Validate user permissions on every protected endpoint
- Implement resource-level authorization (users can only access their own data)
- Log and monitor access control failures
Specific Endpoints to Protect: [List sensitive endpoints]

2. Cryptographic Failures

Current State: [Describe current encryption practices / None]
Required Protections:
- Enforce HTTPS/TLS for all connections
- Hash passwords with bcrypt/argon2 (min 12 rounds)
- Encrypt sensitive data at rest (PII, payment info, etc.)
- Use secure random token generation
- Implement proper key management
Sensitive Data to Protect: [List: passwords, PII, payment data, etc.]

3. Injection Attacks

Current State: [Describe current query practices / None]
Required Protections:
- Use parameterized queries/prepared statements for all database operations
- Implement input validation and sanitization
- Use ORM/query builders (Prisma, TypeORM, etc.)
- Validate and sanitize user input on both client and server
- Implement Content Security Policy (CSP) headers
User Input Points: [List forms, search, filters, file uploads, etc.]

4. Insecure Design

Current State: [Describe current security architecture / None]
Required Protections:
- Implement defense in depth (multiple security layers)
- Use secure design patterns (least privilege, fail secure)
- Separate sensitive operations into isolated services
- Implement proper error handling (no sensitive info in errors)
- Use security-focused code review practices

5. Security Misconfiguration

Current State: [Describe current configuration / None]
Required Protections:
- Remove default accounts and credentials
- Disable unnecessary features, ports, and services
- Configure security headers (HSTS, X-Frame-Options, etc.)
- Keep all dependencies updated
- Implement proper CORS configuration
- Remove debug/verbose error messages in production
Security Headers Needed: [Specify or use defaults]

6. Vulnerable and Outdated Components

Current State: [Describe dependency management / None]
Required Protections:
- Audit all dependencies for known vulnerabilities
- Update outdated packages to latest secure versions
- Remove unused dependencies
- Implement automated dependency scanning (Dependabot, Snyk)
- Pin dependency versions in production

7. Identification and Authentication Failures

Current State: [Describe current auth implementation / None]
Required Protections:
- Implement multi-factor authentication (MFA/2FA)
- Enforce strong password policies (min length, complexity)
- Implement rate limiting on authentication endpoints
- Use secure session management (httpOnly, secure, sameSite cookies)
- Implement account lockout after failed attempts
- Use secure password reset flows
Auth Endpoints: [List: /login, /register, /reset-password, etc.]

8. Software and Data Integrity Failures

Current State: [Describe current integrity measures / None]
Required Protections:
- Verify integrity of dependencies (use lock files)
- Implement code signing for deployments
- Use Subresource Integrity (SRI) for CDN resources
- Validate data integrity in CI/CD pipeline
- Implement audit logging for critical operations

9. Security Logging and Monitoring Failures

Current State: [Describe current logging / None]
Required Protections:
- Log all authentication attempts (success and failure)
- Log authorization failures
- Log input validation failures
- Implement centralized logging (Winston, Pino, etc.)
- Set up alerts for suspicious activities
- Ensure logs don't contain sensitive data
Events to Log: [Specify critical events to monitor]

10. Server-Side Request Forgery (SSRF)

Current State: [Describe current external request handling / None]
Required Protections:
- Validate and sanitize all user-supplied URLs
- Implement allowlist for external domains
- Disable HTTP redirects in external requests
- Use network segmentation to isolate internal services
- Validate response content types
External API Calls: [List any user-controlled external requests]

Additional Security Measures

Rate Limiting

Endpoints to Rate Limit: [Login, API endpoints, etc.]
Limits: [e.g., 5 login attempts per 15 minutes, 100 API calls per hour]
Implementation: [express-rate-limit / Upstash / CloudFlare / Custom]

Input Validation

Validation Library: [Zod / Joi / Yup / express-validator / Custom]
Validation Points: [List all user input points]
Sanitization: [DOMPurify / validator.js / Custom]

API Security

API Authentication: [JWT / API Keys / OAuth2]
API Rate Limiting: [Yes / No]
Request Size Limits: [Specify max payload size]
CORS Configuration: [Allowed origins]

File Upload Security (if applicable)

File Types Allowed: [Images / PDFs / Documents / etc.]
Max File Size: [Specify limit]
Validation: [File type validation / Virus scanning / Content validation]
Storage: [S3 / Cloudinary / Local with restrictions]

Deliverables

Generate a comprehensive security implementation including:

Security Audit Report:
- Detailed analysis of current vulnerabilities
- Risk assessment for each OWASP Top 10 category
- Prioritized list of security issues found
- Specific code locations with vulnerabilities
Hardened Code Implementation:
- Fixed authentication/authorization with proper RBAC
- Secure database queries using parameterized statements
- Input validation middleware for all endpoints
- Password hashing with bcrypt/argon2
- Rate limiting on sensitive endpoints
- Security headers middleware
- Secure session/JWT configuration
- CORS configuration
- Error handling without information leakage
Security Middleware:
- Authentication middleware
- Authorization/permission checking middleware
- Input validation middleware
- Rate limiting middleware
- Security headers middleware (helmet.js or custom)
- Request logging middleware
Configuration Files:
- Environment variables template with security notes
- Security headers configuration
- CORS configuration
- Rate limiting configuration
- CSP policy configuration
Security Utilities:
- Password hashing/validation utilities
- Token generation utilities
- Input sanitization helpers
- Permission checking helpers
- Secure random generation
Testing & Validation:
- Security test cases for authentication
- Authorization test cases
- Input validation test examples
- Rate limiting test examples
Documentation:
- Security implementation guide
- Deployment security checklist
- Incident response procedures
- Security best practices for the team

Output production-ready, security-hardened code following OWASP Top 10 guidelines with:

Defense in depth approach
Principle of least privilege
Fail-secure defaults
Complete input validation
Proper error handling
Comprehensive logging
Regular security updates
Clear security documentation