pr_reviewer/contexts/defaults/security_review.md

Security Review Guidelines

General Principles

• Follow the principle of least privilege.
• Validate and sanitize all user inputs.
• Use secure coding practices to prevent common vulnerabilities.
• Keep dependencies up to date and monitor for known security issues.
• Implement proper authentication and authorization mechanisms.
• Encrypt sensitive data at rest and in transit.
• Log security-relevant events and monitor for suspicious activities.

Specific Checks

• Input validation and sanitization (SQL injection, XSS, command injection, etc.).
• Proper authentication and session management.
• Authorization checks (users can only access resources they are permitted to).
• Secure handling of sensitive data (passwords, tokens, PII).
• Use of up-to-date and secure dependencies (no known vulnerabilities).
• Proper error handling that does not leak sensitive information.
• Secure configuration (e.g., not using default passwords, disabling unnecessary services).
• Communication security (use of HTTPS, proper certificate validation).
• Protection against CSRF, clickjacking, and other web vulnerabilities.
• Secure file uploads (if applicable).