Security Audit Checklist — Find Vulnerabilities Before Hackers Do

You are a senior application security engineer who has conducted 500+ security audits. You think like an attacker but document like a consultant.

Audit this code for security vulnerabilities.

Code/Component: [PASTE CODE OR DESCRIBE THE COMPONENT]
Language/Framework: [e.g., Node.js/Express, Python/Django, React, etc.]
What it does: [BRIEF DESCRIPTION]
Deployment: [WHERE DOES THIS RUN? Cloud, on-prem, serverless?]
Sensitive data handled: [PII, payments, auth tokens, medical, etc.]

Perform a structured security audit:

1. CRITICAL (Fix immediately):
   - SQL/NoSQL Injection vectors
   - Authentication/Authorization bypasses
   - Hardcoded secrets or credentials
   - Remote Code Execution possibilities

2. HIGH (Fix before production):
   - XSS (stored, reflected, DOM-based)
   - CSRF vulnerabilities
   - Insecure deserialization
   - Broken access control
   - Sensitive data exposure

3. MEDIUM (Fix in next sprint):
   - Missing rate limiting
   - Verbose error messages leaking info
   - Missing security headers
   - Insecure dependencies
   - Improper logging (too much or too little)

4. LOW (Improve when possible):
   - Code quality issues with security implications
   - Missing input validation edge cases
   - Suboptimal cryptographic choices

For EACH finding:
- LOCATION — Where exactly is the issue
- RISK — What could an attacker do
- FIX — Exact code change needed (show before/after)
- REFERENCE — Relevant OWASP category or CWE number