name: reviewing-security description: > OWASP Top 10-based security review and vulnerability detection. Triggers: セキュリティ, 脆弱性, XSS, SQL injection, SQLインジェクション, CSRF, 認証, 認可, 暗号化, OWASP, SSRF, パスワード, セッション, rate limiting, brute force, command injection, security misconfiguration. allowed-tools:

• Read
• Grep
• Glob
• Task agent: security-reviewer user-invocable: false

Security Review - OWASP Top 10 Based

OWASP Top 10-based vulnerability detection and secure implementation guidance.

Section-Based Loading

Security Review Checklist

Step 1: Input Validation

• All user input is sanitized
• SQL queries use parameterized statements
• User input not directly used in command execution
• XSS protection (escaping) applied

Step 2: Authentication & Authorization

• Passwords properly hashed (bcrypt recommended)
• Secure session management (HttpOnly, Secure, SameSite)
• JWT expiration properly configured
• Authorization checks on all endpoints

Step 3: Data Protection

• Sensitive data not logged
• HTTPS enforced
• API keys not hardcoded

Step 4: Error Handling

• Detailed error messages hidden in production
• Stack traces not exposed to users

Step 5: Dependencies

Run audit command for your package manager:

• npm: npm audit

• yarn: yarn audit

• pnpm: pnpm audit

• bun: bun pm trust (or check lockfile)

• No known vulnerabilities

Key Principles

References

• @./references/owasp-basic.md - Access Control, Crypto, Auth
• @./references/owasp-injection.md - SQL/XSS/CSRF
• @./references/owasp-advanced.md - Design, Config, Monitoring