Security Review Checklist

Before completing any task that touches authentication, authorization, data handling, or API endpoints, verify:

## Authentication
- [ ] Passwords are hashed (bcrypt/argon2), never stored in plain text
- [ ] JWT tokens have appropriate expiration times
- [ ] Refresh token rotation is implemented
- [ ] Session invalidation works on logout

## Authorization
- [ ] Every API endpoint checks user permissions
- [ ] Users cannot access other users' data (IDOR check)
- [ ] Admin routes are protected by role checks
- [ ] RLS policies are enabled on new tables

## Input Validation
- [ ] All user input is validated at the API boundary (Zod/Joi)
- [ ] SQL queries use parameterized queries — no string concatenation
- [ ] File uploads validate type, size, and scan for malware
- [ ] URLs are validated before redirect (prevent open redirect)

## Data Protection
- [ ] Sensitive data is encrypted at rest
- [ ] API responses don't leak sensitive fields (passwords, tokens, internal IDs)
- [ ] Logs don't contain PII or credentials
- [ ] Error messages don't expose stack traces or internal details to clients

## Headers & Transport
- [ ] HTTPS enforced (HSTS headers set)
- [ ] CORS is configured narrowly (not wildcard *)
- [ ] CSP headers are set appropriately
- [ ] Rate limiting is applied to auth endpoints