ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity
BMAD-METHOD/expansion-packs/bmad-javascript-fullstack/checklists/security-checklist.md

5.1 KiB
Raw Blame History

Security Checklist

Authentication

  • Password Hashing - bcrypt/argon2 with sufficient rounds (10-12)
  • Token Expiration - Access tokens expire (15-60 min)
  • Refresh Tokens - Secure refresh token strategy
  • Token Storage - HttpOnly cookies or secure storage
  • Password Requirements - Min length, complexity enforced
  • Password Reset - Secure password reset flow with expiring tokens
  • Account Lockout - Lock after N failed attempts
  • Session Management - Secure session handling

Authorization

  • Route Protection - All protected routes check auth
  • Resource Authorization - Users can only access their resources
  • Role-Based Access - RBAC implemented where needed
  • Principle of Least Privilege - Minimal permissions by default

Input Validation

  • Frontend Validation - Client-side validation for UX
  • Backend Validation - Server-side validation (never trust client)
  • Schema Validation - Zod, Joi, or class-validator
  • Type Checking - TypeScript for compile-time checks
  • Sanitization - DOMPurify or similar for HTML content
  • File Uploads - File type and size validation

SQL Injection Prevention

  • Parameterized Queries - Never concatenate SQL strings
  • ORM Usage - Use Prisma, TypeORM, or similar
  • Input Validation - Validate all user inputs

XSS Prevention

  • Content Security Policy - CSP headers configured
  • Output Encoding - Escape user-generated content
  • Sanitization - Sanitize HTML inputs
  • React Safety - Use React's built-in XSS protection (dangerouslySetInnerHTML only when necessary)

CSRF Protection

  • CSRF Tokens - Tokens for state-changing operations
  • SameSite Cookies - SameSite=Strict or Lax
  • Origin Validation - Validate request origin

CORS Configuration

  • Allowed Origins - Whitelist specific origins, no wildcards in production
  • Credentials - credentials: true only when necessary
  • Allowed Methods - Only required methods
  • Preflight Caching - maxAge set appropriately

Secrets Management

  • Environment Variables - All secrets in env vars
  • No Hardcoded Secrets - No secrets in code
  • Secret Rotation - Plan for rotating secrets
  • .env in .gitignore - Never commit .env files
  • Production Secrets - Use secret management service (AWS Secrets Manager, etc.)

HTTPS/TLS

  • HTTPS Only - All traffic over HTTPS
  • HTTP to HTTPS - Redirect HTTP to HTTPS
  • HSTS Header - Strict-Transport-Security header
  • TLS Version - TLS 1.2 or higher
  • Valid Certificate - Properly configured SSL certificate

Security Headers

  • Helmet.js - Use Helmet for Express/Fastify
  • X-Content-Type-Options - nosniff
  • X-Frame-Options - DENY or SAMEORIGIN
  • X-XSS-Protection - 1; mode=block
  • Referrer-Policy - no-referrer or strict-origin-when-cross-origin
  • Permissions-Policy - Restrict browser features

Rate Limiting

  • Global Rate Limit - Prevent abuse (100 req/15min)
  • Auth Rate Limit - Strict limits on login (5 req/15min)
  • Per-User Limits - User-specific rate limits
  • Redis-backed - Use Redis for distributed rate limiting

Dependency Security

  • npm audit - Run regularly and fix issues
  • Snyk/Dependabot - Automated dependency scanning
  • Update Dependencies - Keep dependencies up to date
  • Lock Files - Commit package-lock.json or yarn.lock
  • Audit Third-party Code - Review third-party packages

API Security

  • API Keys - Secure API key management
  • Token Rotation - Rotate API keys periodically
  • Request Signing - Sign sensitive requests
  • Rate Limiting - Per-API-key rate limits
  • IP Whitelisting - Whitelist IPs where appropriate

Logging & Monitoring

  • Security Events - Log authentication failures, authorization failures
  • No Sensitive Data - Never log passwords, tokens, credit cards
  • Anomaly Detection - Monitor for unusual patterns
  • Audit Trail - Log important user actions

Infrastructure Security

  • Firewall - Proper firewall rules
  • Database Access - Database not publicly accessible
  • Principle of Least Privilege - Minimal IAM permissions
  • Regular Backups - Encrypted backups
  • Vulnerability Scanning - Regular security scans

OWASP Top 10 Coverage

  • A01 Broken Access Control - Authorization checks
  • A02 Cryptographic Failures - Proper encryption
  • A03 Injection - Input validation
  • A04 Insecure Design - Security by design
  • A05 Security Misconfiguration - Secure defaults
  • A06 Vulnerable Components - Updated dependencies
  • A07 Authentication Failures - Secure auth
  • A08 Data Integrity Failures - Integrity checks
  • A09 Logging Failures - Adequate logging
  • A10 SSRF - SSRF prevention

Security Rating: