zhongwei/gh-greyhaven-ai-claude-code-config-grey-haven-plugins-security
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5f6dacc74bd68438f0a288e40c025852181e4cb9
gh-greyhaven-ai-claude-code…/skills/security-practices/checklists/security-audit-checklist.md
Zhongwei Li 5f6dacc74b Initial commit
2025-11-29 18:29:28 +08:00

5.7 KiB
Raw Blame History

Security Audit Checklist

Use this checklist before deploying Grey Haven applications to production.

Secret Management

  • NO secrets committed to git (check with git log -p | grep -E "sk-|api_key|secret")
  • All secrets managed through Doppler
  • Development config uses dev secrets (Doppler dev)
  • Production config uses prod secrets (Doppler production)
  • No .env files committed
  • .env.example documents required variables

Authentication & Authorization

  • Sessions use secure, httpOnly cookies
  • sameSite="lax" or "strict" set on session cookies
  • Passwords require min 12 characters
  • Passwords validated for complexity (uppercase, lowercase, number, special char)
  • Failed login attempts rate-limited
  • Session expiry configured (max 7 days)
  • Logout properly invalidates sessions

Multi-Tenant Isolation

  • RLS enabled on ALL multi-tenant tables
  • tenant_id field on ALL multi-tenant tables
  • ALL queries filter by tenant_id
  • No direct SQL queries (use ORM)
  • Tenant isolation tested (cannot access other tenant's data)
  • Admin operations respect tenant boundaries

Input Validation

  • ALL user input validated (Zod for TS, Pydantic for Python)
  • Email addresses validated
  • Numeric inputs have min/max constraints
  • String inputs have length limits
  • File uploads validate type AND content
  • File upload size limits enforced (5MB default)

Output Sanitization

  • React JSX used for HTML rendering (auto-escapes)
  • No dangerouslySetInnerHTML without sanitization
  • DOMPurify used if HTML rendering needed
  • API responses don't include sensitive data
  • Error messages don't leak implementation details

SQL Injection Prevention

  • Drizzle ORM used for all database queries (TypeScript)
  • SQLModel used for all database queries (Python)
  • NO raw SQL string concatenation
  • Parameterized queries ONLY
  • Database migrations reviewed for security

XSS Prevention

  • Content-Security-Policy header configured
  • No inline JavaScript in HTML
  • No eval() or similar dangerous functions
  • User-generated content sanitized before display
  • File uploads don't allow HTML/JavaScript

CSRF Protection

  • sameSite cookies enabled
  • CSRF tokens on state-changing operations (if needed)
  • Origin header validation
  • Double-submit cookie pattern (if applicable)

CORS Configuration

  • CORS origins explicitly whitelisted
  • NO wildcard CORS origin in production
  • credentials: true only for trusted origins
  • Preflight requests handled correctly

Rate Limiting

  • Login endpoint rate-limited (10 attempts/hour)
  • Email send rate-limited (10 emails/hour per user)
  • API endpoints rate-limited (100 req/min per IP)
  • Expensive operations rate-limited
  • Rate limit headers returned (X-RateLimit-*)

HTTPS/TLS

  • HTTPS enforced in production
  • HTTP redirects to HTTPS
  • Strict-Transport-Security header set (HSTS)
  • Valid TLS certificate
  • TLS 1.2+ only (no TLS 1.0/1.1)

Headers Security

  • X-Frame-Options: DENY or SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • X-XSS-Protection: 1; mode=block
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy configured

Error Handling

  • Production errors don't leak stack traces
  • Errors logged server-side only
  • Generic error messages to users
  • Sentry/logging configured for production
  • No sensitive data in error messages

Database Security

  • Database credentials rotated regularly
  • Database uses TLS connection
  • Separate database users for dev/prod
  • Database backups encrypted
  • PII encrypted at rest (if applicable)

File Upload Security

  • File type validation (MIME type + magic numbers)
  • File size limits enforced
  • Uploaded files scanned for malware
  • Files stored outside web root
  • Random filenames generated (prevent path traversal)
  • Upload endpoint requires authentication

Dependencies

  • No high/critical vulnerabilities (npm audit, pip-audit)
  • Dependencies up to date
  • Dependabot/Renovate configured
  • Package-lock.json / poetry.lock committed
  • Unused dependencies removed

Logging & Monitoring

  • Security events logged (failed logins, permission changes)
  • Logs don't contain sensitive data (passwords, tokens)
  • Anomaly detection configured
  • Alerts for suspicious activity
  • Audit trail for admin actions

Testing

  • Security tests written and passing
  • Tenant isolation tested
  • Rate limiting tested
  • Input validation tested
  • Authentication flows tested
  • Permission boundaries tested

Compliance (if applicable)

  • GDPR compliance verified (EU users)
  • CCPA compliance verified (CA users)
  • SOC 2 requirements met
  • HIPAA compliance (if healthcare)
  • Data retention policies implemented

Scoring

  • 45+ items checked: Excellent - Production ready
  • 35-44 items: Good - Minor gaps to address ⚠️
  • 25-34 items: Fair - Significant security work needed 🔴
  • <25 items: Poor - NOT production ready

Next Steps

If score < 45:

  1. Address all unchecked critical items (secrets, RLS, input validation)
  2. Run npm audit / pip-audit and fix vulnerabilities
  3. Test multi-tenant isolation thoroughly
  4. Review OWASP Top 10 reference
  5. Re-run checklist

Related Resources

Total Items: 70+ security checks Critical Items: Secrets, RLS, Input Validation, SQL Injection Last Updated: 2025-11-09

Reference in New Issue View Git Blame Copy Permalink