Security Checklist¶

Pre-deployment verification for production readiness.

Quick Reference¶

Use this checklist before every production deployment.

Authentication¶

Passwords hashed with Argon2 or bcrypt
Not MD5, SHA1, or plain SHA256
Proper cost/memory parameters
Strong password requirements enforced
Minimum 12 characters
Mixed case, numbers, special characters
Check against breached password database
JWT tokens properly configured
Short expiration (15 min for access tokens)
Secure secret key (256+ bits)
Algorithm explicitly specified (no "alg": "none")
Session management secure
HTTP-only cookies
Secure flag (HTTPS only)
SameSite attribute set
Session regeneration on login
Rate limiting on auth endpoints
Login: 5 attempts/minute
Registration: 3/hour per IP
Password reset: 3/hour per email
Account lockout implemented
Temporary lockout after failed attempts
Notification to user

Authorization¶

Every endpoint has authorization check
No endpoint accessible without auth check
Default deny policy
Resource ownership verified
Users can only access their own data
Admin bypass explicitly coded
IDOR vulnerabilities checked
Sequential IDs don't expose data
Authorization checked, not just authentication
Privilege escalation prevented
Role changes require admin
Cannot self-promote

Data Protection¶

Sensitive data encrypted at rest
Database encryption enabled
PII fields encrypted at application level
Encryption keys in secure storage
TLS/HTTPS everywhere
No HTTP endpoints in production
TLS 1.2+ only
Strong cipher suites
Secrets not in code
No hardcoded API keys
No hardcoded database passwords
No secrets in Git history
PII handling compliant
Data minimization
Retention policies
Right to deletion implemented

Input Validation¶

All input validated server-side
Type checking (Pydantic/Zod)
Length limits
Format validation
SQL injection prevented
Parameterized queries only
No string concatenation in queries
XSS prevented
Output encoding
Content Security Policy
No dangerouslySetInnerHTML without sanitization
File uploads secured
File type validation (magic bytes, not extension)
Size limits enforced
Files stored outside web root
Filenames sanitized
Path traversal prevented
User input not used in file paths
If necessary, strict validation

API Security¶

CORS properly configured
Specific origins, not *
Credentials handled correctly
Rate limiting implemented
Per-IP limits
Per-user limits
Endpoint-specific limits
Request size limits
Body size limited
File upload size limited
JSON depth limited
API versioning in place
Deprecation process defined
Old versions have sunset dates

Security Headers¶

Strict-Transport-Security

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Security-Policy

Content-Security-Policy: default-src 'self'; script-src 'self'

X-Content-Type-Options
```
X-Content-Type-Options: nosniff
```
X-Frame-Options
```
X-Frame-Options: DENY
```
X-XSS-Protection
```
X-XSS-Protection: 1; mode=block
```

Referrer-Policy

Referrer-Policy: strict-origin-when-cross-origin

Dependencies¶

No known vulnerabilities

# Python
safety check
pip-audit

# JavaScript
bun pm audit

Dependencies pinned
Lockfiles committed
Exact versions in production
Automated scanning in CI
Dependabot/Renovate enabled
Security alerts enabled
Minimal dependencies
Unused packages removed
Dev dependencies not in production

Logging & Monitoring¶

Security events logged
Login attempts (success/failure)
Authorization failures
Password changes
Admin actions
Logs don't contain secrets
Passwords not logged
Tokens not logged
PII masked
Alerting configured
Multiple failed logins
Unusual access patterns
Error rate spikes
Audit trail maintained
Who did what, when
Immutable logs
Retention policy

Infrastructure¶

Firewall configured
Only necessary ports open
Database not publicly accessible
Admin interfaces restricted
Debug mode disabled
No stack traces to users
No verbose error messages
Default credentials changed
No default passwords
No default API keys
Backups tested
Regular backups
Restore procedure tested
Backups encrypted

Error Handling¶

Generic error messages to users

# Bad
raise HTTPException(500, f"Database error: {e}")

# Good
raise HTTPException(500, "An error occurred. Please try again.")

Detailed errors logged internally
Full stack traces in logs
Request context included
No information leakage
No server versions exposed
No technology stack revealed
No internal paths exposed

Database¶

Principle of least privilege
App user has minimal permissions
No SUPERUSER for app
Row-level security (if applicable)
Users can only see their data
Enforced at database level
Connections encrypted
SSL required for connections
Certificate verification
Injection prevention
ORM used correctly
Raw queries parameterized

Deployment¶

CI/CD pipeline secure
Secrets in secure storage
No secrets in logs
Build artifacts verified
Container security (if applicable)
Non-root user
Read-only filesystem
No unnecessary capabilities
Environment isolation
Production isolated from staging
Different credentials per environment

Incident Response¶

Contact list maintained
Security team contacts
Escalation path defined
Response plan documented
Steps for common incidents
Communication templates
Backup access verified
Multiple people can access
Emergency procedures tested

Compliance (if applicable)¶

GDPR
Privacy policy
Consent management
Data export/deletion
PCI DSS (if handling cards)
No card data stored
Using certified payment processor
SOC 2
Access controls documented
Audit logging
Change management

Sign-off¶

Check	Date	Reviewer
Authentication
Authorization
Data Protection
Input Validation
API Security
Security Headers
Dependencies
Logging
Infrastructure
Error Handling
Database
Deployment

Deployment approved by: ___

Date: ___

Quick Commands¶

# Check Python dependencies
pip-audit
safety check

# Check JavaScript dependencies
bun pm audit

# Scan for secrets in code
gitleaks detect

# Check security headers
curl -I https://yoursite.com | grep -E "^(Strict|Content-Security|X-)"

# Test TLS configuration
nmap --script ssl-enum-ciphers -p 443 yoursite.com