10-checklists

Security Checklist

10-checklists/security-checklist

Security Checklist

Overview

Use this checklist to reduce obvious frontend and integration security mistakes.


Why It Matters

Security bugs can expose data, sessions, or trust even when the product otherwise works.


Core Concepts

  • Do not expose secrets.
  • Validate untrusted data.
  • Review auth and redirect flows carefully.

Mental Models

Assume anything the browser sees can be inspected or tampered with.


Best Practices

  • Keep sensitive logic server-side where possible.
  • Sanitize user content.
  • Review dependencies and third-party scripts.

Common Mistakes

  • Shipping secrets to the client.
  • Relying on client checks for protection.
  • Ignoring XSS and open redirect risks.

Trade-offs

More security controls can slow development a bit, but they prevent far more expensive mistakes.


Decision Framework

RiskCheck
Secret exposureClient bundle review
Unsafe inputValidation and sanitization
Auth flowSession and redirect behavior

Examples

  • Validate redirect destinations before navigation.

Checklists

  • Are secrets excluded from the client?
  • Is untrusted input sanitized?
  • Are auth and redirect flows reviewed?

Senior Engineer Notes

Senior engineers assume a hostile or curious client environment and design accordingly.


Further Reading