secure-coding

What this skill does

# Secure Coding

## OWASP Secure Coding Practices

### Input Validation

- **Validate All Input**: Validate all input from untrusted sources (user input, APIs, files)
- **Whitelist Approach**: Use whitelisting (allow-list) instead of blacklisting
- **Validate Type, Length, Format**: Validate data type, length, and format
- **Sanitize Output**: Encode output to prevent injection attacks
- **Canonicalize Input**: Canonicalize input before validation to prevent bypasses

### Output Encoding

- **Context-Specific Encoding**: Use encoding appropriate for the context (HTML, JavaScript, URL, CSS)
- **Encode User-Generated Content**: Encode all user-generated content before output
- **Use Framework Encoding**: Use framework-provided encoding functions
- **Avoid Manual Encoding**: Avoid manual encoding as it's error-prone

### Authentication

- **Strong Passwords**: Enforce strong password policies (length, complexity, rotation)
- **Secure Password Storage**: Use strong, slow hashing algorithms (bcrypt, Argon2, scrypt)
- **Multi-Factor Authentication**: Implement MFA for sensitive operations
- **Secure Session Management**: Use secure, HTTP-only, SameSite cookies
- **Session Expiration**: Implement appropriate session timeout
- **Secure Password Reset**: Implement secure password reset mechanisms

### Authorization

- **Principle of Least Privilege**: Grant minimum necessary permissions
- **Role-Based Access Control**: Implement RBAC for authorization
- **Attribute-Based Access Control**: Consider ABAC for complex authorization
- **Deny by Default**: Deny access by default, explicitly allow
- **Check Authorization on Every Request**: Verify authorization on every request
- **Avoid IDOR**: Prevent Insecure Direct Object References

### Cryptography

- **Use Standard Algorithms**: Use well-vetted, standard cryptographic algorithms
- **Avoid Rolling Your Own Crypto**: Never implement custom cryptography
- **Use Secure Key Management**: Properly generate, store, and rotate keys
- **Use Authenticated Encryption**: Use authenticated encryption (AEAD) when possible
- **Avoid Deprecated Algorithms**: Avoid MD5, SHA1, RC4, DES, etc.
- **Use TLS**: Use TLS for all network communications

### Error Handling

- **Generic Error Messages**: Use generic error messages for users
- **Detailed Logging**: Log detailed error information server-side
- **Don't Leak Information**: Avoid leaking sensitive information in errors
- **Handle Exceptions**: Properly handle exceptions to prevent information disclosure
- **Custom Error Pages**: Use custom error pages to prevent information leakage

## Language-Specific Security Considerations

### JavaScript/TypeScript

- **XSS Prevention**: Use frameworks with built-in XSS protection (React, Vue, Angular)
- **Content Security Policy**: Implement CSP to mitigate XSS
- **Avoid eval()**: Avoid using eval() and similar dynamic code execution
- **Validate JSON**: Validate JSON input before parsing
- **Use Strict Mode**: Use strict mode to catch common errors
- **Sanitize HTML**: Use DOMPurify or similar libraries for HTML sanitization

### Python

- **SQL Injection**: Use parameterized queries or ORM
- **Command Injection**: Avoid shell=True in subprocess calls
- **Pickle Security**: Avoid unpickling untrusted data
- **Template Injection**: Use secure template engines (Jinja2 auto-escaping)
- **YAML Loading**: Use yaml.safe_load() instead of yaml.load()
- **Input Validation**: Validate input using libraries like pydantic

### Java

- **SQL Injection**: Use PreparedStatement or JPA
- **XSS Prevention**: Use OWASP ESAPI or framework-provided encoding
- **Deserialization**: Avoid deserializing untrusted data
- **XML Security**: Disable XML external entities (XXE)
- **Path Traversal**: Validate file paths to prevent directory traversal
- **Secure Random**: Use SecureRandom for cryptographic random numbers

### Go

- **SQL Injection**: Use prepared statements with sql package
- **Path Traversal**: Use filepath.Join() and validate paths
- **Command Injection**: Avoid shell commands, use exec package
- **Template Injection**: Use html/template with auto-escaping
- **Error Handling**: Always handle errors explicitly
- **Input Validation**: Validate input before use

### C/C++

- **Buffer Overflows**: Use safe string functions (strncpy_s, snprintf)
- **Memory Safety**: Use memory-safe alternatives when possible
- **Integer Overflow**: Check for integer overflow before arithmetic
- **Format String Vulnerabilities**: Avoid user-controlled format strings
- **Use Safe Libraries**: Use safe string and memory libraries
- **Static Analysis**: Use static analysis tools to catch issues

### PHP

- **SQL Injection**: Use PDO with prepared statements
- **XSS Prevention**: Use htmlspecialchars() or framework escaping
- **File Upload**: Validate and sanitize uploaded files
- **Include Files**: Avoid user-controlled include files
- **Type Juggling**: Be aware of PHP's type juggling
- **Configuration**: Use secure configuration settings

## Input Validation and Output Encoding

### Input Validation Techniques

- **Type Validation**: Validate data type (integer, string, date, etc.)
- **Length Validation**: Validate minimum and maximum length
- **Format Validation**: Validate format (email, phone, URL, etc.)
- **Range Validation**: Validate numeric ranges
- **Pattern Validation**: Use regex patterns for complex validation
- **Business Rule Validation**: Validate against business rules

### Output Encoding Contexts

- **HTML Context**: Encode for HTML entities (<, >, &, ", ')
- **JavaScript Context**: Encode for JavaScript strings
- **URL Context**: Encode for URL parameters
- **CSS Context**: Encode for CSS values
- **Attribute Context**: Encode for HTML attributes

### Encoding Libraries

- **JavaScript**: DOMPurify, encodeURI(), encodeURIComponent()
- **Python**: html.escape(), urllib.parse.quote()
- **Java**: OWASP ESAPI, Apache Commons Text
- **Go**: html.EscapeString(), url.QueryEscape()
- **PHP**: htmlspecialchars(), urlencode()

## Authentication and Authorization Patterns

### Authentication Patterns

- **Multi-Factor Authentication**: Require multiple factors for authentication
- **Password Hashing**: Use bcrypt, Argon2, or scrypt for password hashing
- **Password Policies**: Enforce strong password policies
- **Account Lockout**: Implement account lockout after failed attempts
- **Password Reset**: Implement secure password reset flows
- **Session Management**: Use secure session management practices

### Authorization Patterns

- **Role-Based Access Control (RBAC)**: Assign permissions to roles, roles to users
- **Attribute-Based Access Control (ABAC)**: Use attributes for fine-grained access control
- **Access Control Lists (ACL)**: Define access rights for resources
- **Capability-Based Security**: Use capabilities for access control
- **Policy-Based Access Control**: Use policies for access decisions
- **Hybrid Approaches**: Combine multiple authorization patterns

### Session Management

- **Secure Cookies**: Use secure, HTTP-only, SameSite cookies
- **Session Expiration**: Implement appropriate session timeout
- **Session Fixation**: Generate new session ID after authentication
- **Session Storage**: Store session data securely
- **Logout**: Implement proper logout functionality
- **Concurrent Sessions**: Limit concurrent sessions if needed

## Cryptography Best Practices

### Encryption

- **Use Standard Algorithms**: Use AES-256, ChaCha20-Poly1305, or similar
- **Use Authenticated Encryption**: Prefer AEAD modes (GCM, CCM, ChaCha20-Poly1305)
- **Key Management**: Use proper key management (HSM, KMS, key rotation)
- **IV/Nonce**: Use unique IV/nonce for each encryption
- **Key Derivation**: Use PBKDF2, Argon2, or scrypt for key derivation
- **Avoid ECB Mode**: Never use ECB mode for encryption

### Hashing

- **Use Strong Hashes**: Use SHA-256 or stronger for general hashing
- **Password Hashing**: Use bcrypt, Argon2, or scrypt for passwords
- **Salt