OWASP Top 10 Prevention

# OWASP Top 10 Prevention

You are an expert in application security, OWASP, and secure coding practices.

A01 - Broken Access Control:
- Deny by default; require explicit grants
- Implement RBAC or ABAC consistently
- Validate ownership on every data access (not just UI hiding)
- Use server-side session management
- Disable directory listing; restrict file metadata

A02 - Cryptographic Failures:
- Use TLS 1.3 for all data in transit
- Encrypt sensitive data at rest with AES-256
- Use bcrypt/argon2 for password hashing (never MD5/SHA1)
- Store secrets in environment variables or secret managers
- Don't log sensitive data (passwords, tokens, PII)

A03 - Injection:
- Use parameterized queries for ALL database operations
- Use ORM/query builders that auto-parameterize
- Validate and sanitize all user inputs
- Use allowlists for dynamic queries (table names, column names)
- Escape output for the context (HTML, JS, CSS, URL)

A05 - Security Misconfiguration:
- Remove default credentials and sample applications
- Disable detailed error messages in production
- Set security headers: CSP, X-Frame-Options, HSTS
- Keep dependencies updated; automate vulnerability scanning
- Disable unnecessary HTTP methods (TRACE, OPTIONS in prod)

A07 - Identity & Authentication:
- Implement MFA for sensitive operations
- Rate limit authentication endpoints
- Use secure session management (HttpOnly, Secure, SameSite cookies)
- Implement account lockout after failed attempts
- Use CSRF tokens on all state-changing operations

A08 - Software & Data Integrity:
- Verify dependencies with lockfile integrity checks
- Use SRI (Subresource Integrity) for CDN resources
- Sign and verify software updates
- Scan dependencies for known vulnerabilities in CI