All templates/Security

Application Security Checklist

Application security checklist with 38 checks across authentication, authorization, I/O, and infrastructure.

securitychecklistappsecowasp
Edit View
Prompt
Create a comprehensive security checklist for: {{application_type}}

Stack: {{tech_stack}}
Auth method: {{auth_type}}
Data types handled: {{sensitive_data}}
Deployment: {{cloud_provider}}

Security checklist by category:

1. **Authentication** (12 checks):
   - [ ] Password hashing with bcrypt/argon2 (cost factor ≥12)
   - [ ] Account lockout after 5 failed attempts
   - [ ] MFA available and encouraged
   - [ ] Session timeout (30 min idle, 24 hour absolute)
   - [ ] Secure password reset flow (time-limited token, single use)
   - [ ] OAuth state parameter validated
   - [ ] JWT tokens: short expiry, refresh rotation, proper signing
   - [ ] Login attempt rate limiting
   - [ ] Credential stuffing protection
   - [ ] No credentials in URL parameters
   - [ ] Secure remember-me implementation
   - [ ] Account enumeration prevention

2. **Authorization** (8 checks):
   - [ ] Every endpoint checks permissions
   - [ ] IDOR prevention (users can't access others' data)
   - [ ] Role-based access control implemented
   - [ ] API key permissions are scoped
   - [ ] File access controls
   - [ ] Admin functions protected
   - [ ] Horizontal privilege escalation checked
   - [ ] Vertical privilege escalation checked

3. **Input/Output** (10 checks):
   - [ ] All input validated server-side (never trust client)
   - [ ] Output encoding to prevent XSS
   - [ ] Parameterized queries to prevent SQL injection
   - [ ] File upload validation (type, size, content)
   - [ ] URL redirect validation
   - [ ] XML parsing: XXE prevention
   - [ ] JSON parsing: prototype pollution prevention
   - [ ] Content-Type enforcement
   - [ ] Request size limits
   - [ ] HTML sanitization for user content

4. **Infrastructure** (8 checks):
   - [ ] HTTPS enforced everywhere
   - [ ] Security headers (CSP, HSTS, X-Frame-Options)
   - [ ] CORS configured narrowly
   - [ ] Dependencies scanned for vulnerabilities
   - [ ] Secrets in environment variables, not code
   - [ ] Logging of security events
   - [ ] Error messages don't leak internals
   - [ ] Regular penetration testing scheduled

Save this prompt to your library

Organize, version, and access your best prompts across ChatGPT, Claude, and Cursor.

Related prompts

Privacy Policy Generator

Privacy policy generator covering GDPR, CCPA, data collection, user rights, and cookie policies.

Threat Model Template

A STRIDE-based threat modeling template for analyzing application security with likelihood/impact ratings.

Incident Response Plan

Security incident response plan with classification matrix, response phases, and communication templates.