---
name: secure-coding-checklist
description: >
  OWASP-aligned security checklist for code changes. Use when reviewing or writing
  code that touches auth, input handling, data access, secrets, or external calls.
---

# Secure Coding Checklist

Apply to any security-sensitive change. Flag findings with severity + file:line + fix.

## Input & injection
- All external input validated/parameterized (SQL, command, template, path).
- No string-built queries; use prepared statements / query builders.

## AuthN / AuthZ
- Every protected operation checks authorization, not just authentication.
- No IDOR: object access is scoped to the caller.

## Secrets
- No hard-coded secrets, tokens, keys. (Hard-coded secret → CRITICAL, stop.)
- Secrets come from the vault/secret manager, never source or logs.

## Data & transport
- PII handled per the `pii-handling` skill; TLS enforced on external calls.
- No sensitive data in logs, URLs, or error messages.

## Deserialization & SSRF
- No unsafe deserialization of untrusted input.
- Outbound URLs are allowlisted; no user-controlled host fetches.

Put the full OWASP Top 10 mapping in references/owasp-mapping.md (tier-3) if you
need it — keep this body scannable.