security-checklistlisted

# Security Checklist Load this skill during design review, implementation, and code review. Every item is a potential BLOCKER if violated. Each item is paired with a concrete failure example so reviewers can recognise the shape. ## Input & Validation - [ ] All user-supplied input is validated (type, length, format) **at the boundary**, not deep in business logic. ```ts // BAD: input flows untyped into business code; validation buried far from entry. app.post("/orders", async (req, res) => { const order = await createOrder(req.body); // req.body is `any` }); // GOOD: schema validates at the handler; business code receives a typed value. const OrderInput = z.object({ items: z.array(ItemInput).min(1).max(50) }); app.post("/orders", validateBody(OrderInput), async (req, res) => { const order = await createOrder(req.body); // typed and bounded }); ``` - [ ] Validation errors return `400` (malformed) or `422` (well-formed but semantically invalid). Never `500`. - [ ] File uploads validated for type AND size BEFORE processing. ```ts // BAD: read into memory first, then check size. OOM on a multi-GB upload. const data = await req.file.buffer(); if (data.length > 10_000_000) throw new TooLarge(); // GOOD: streaming with limits, enforced at the parser layer. const upload = multer({ limits: { fileSize: 10_000_000 }, fileFilter: typeAllowlist }); ``` ## Authentication & Authorisation - [ ] All endpoints that require auth have auth middlewar