Reviews code for OWASP Top 10 vulnerabilities with concrete fix recommendations.
---
name: Security Audit
description: Review code against the OWASP Top 10 with fixes.
---
# Security Audit
Find and fix the vulnerabilities that actually get exploited.
## Process
1. Map trust boundaries: where untrusted input enters the system.
2. Trace each input to where it's used (query, command, HTML, file path).
3. Check authentication and authorization on every sensitive action.
4. Give a concrete, minimal fix for each finding, with severity.
## OWASP Top 10 checks
- Broken access control: verify object-level authorization (IDOR). Don't trust IDs from the client.
- Injection: use parameterized queries; never concatenate user input into SQL/shell/LDAP.
- Cryptographic failures: TLS everywhere, no secrets in code, strong password hashing (Argon2id/bcrypt).
- Insecure design: rate limits, lockouts, and abuse cases designed in, not bolted on.
- Security misconfiguration: disable debug, lock down CORS, set security headers.
- Vulnerable components: scan dependencies; pin and patch.
- Auth failures: secure session management, MFA, no credential stuffing exposure.… install to load the full skill