secure-code-guardian

After each implementation step, verify: Load detailed guidance based on context: When implementing security features, provide: OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers - Threat model — Identify attack surface and threats - Design — Plan security controls - Implement — Write secure code with defense in depth; see code examples below - Validate — Test security controls with explicit checkpoints (see below) - Document — Record security decisions - Authentication : Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence). - Authorization : Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users. - Input handling : Confirm SQL injection payloads ( ' OR 1=1-- ) are rejected; confirm XSS payloads ( alert(1) ) are escaped or rejected. - Headers/CORS : Validate with a security scanner (e.g., curl -I , Mozilla Observatory) that security headers are present and CORS origin allowlist is correct. - Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes) - Use parameterized queries (never string-interpolated SQL) - Validate and sanitize all user input before use - Implement rate...