---
name: security-review
description: Review code for security vulnerabilities including OWASP Top 10, dependency issues, and authentication flaws. Use when reviewing security-sensitive code, checking PRs with auth changes, or auditing endpoints.
---

# Security Code Review

When reviewing code for security, systematically check:

## 1. Injection (OWASP A03)
- SQL injection: parameterized queries only
- XSS: output encoding, CSP headers
- Command injection: no shell execution with user input
- Path traversal: validate file paths

## 2. Authentication & Authorization (OWASP A01, A07)
- Auth checks on every protected endpoint
- Session management (secure cookies, expiry)
- Password storage (bcrypt/argon2, never plain text)
- API key handling (never in URLs or logs)

## 3. Data Exposure (OWASP A02)
- PII not logged
- Sensitive data encrypted at rest
- API responses don't leak internal details
- Error messages don't expose stack traces

## 4. Dependencies
- Known vulnerabilities (check npm audit / pip audit)
- Outdated packages with security patches
- Supply chain risks (typosquatting, compromised packages)

## 5. Configuration
- Secrets not in code or config files
- HTTPS enforced
- CORS properly configured
- Rate limiting on auth endpoints

Report format: Use severity 🔴 Critical / 🟡 Warning / 🔵 Info