Web Security (OWASP Top 10)

# Web Security (OWASP Top 10)

## A01 Broken Access Control
- Enforce server-side authorization on every request.
- RBAC/ABAC; never trust client-supplied roles.
- Test IDOR: can user A access user B's data by changing an ID?

## A02 Cryptographic Failures
- TLS 1.2+ everywhere + HSTS.
- Hash passwords with bcrypt/argon2 (never MD5/SHA1).
- Encrypt sensitive data at rest (AES-256).

## A03 Injection
- Use parameterized queries. Never concatenate user input into SQL.
```ts
// Bad:  db.query("SELECT * FROM users WHERE id = " + req.params.id)
// Good: db.query("SELECT * FROM users WHERE id = $1", [req.params.id])
```

## A05 Security Misconfiguration
- Disable debug endpoints, default credentials in prod.
- Headers: `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`, CSP.

## A07 XSS
- **Stored**: payload in DB, rendered to other users.
- **Reflected**: payload in URL, reflected back.
- **DOM**: client JS writes attacker-controlled data to DOM.
- Defense: escape output (React does this by default), CSP, httpOnly cookies.

## A09 Logging Failures
- Log auth events, access control failures, input errors.
- Include timestamp, user, IP. Never log passwords or tokens.

## A10 SSRF
- Validate and allowlist outbound URLs.
- Block cloud metadata endpoints (169.254.169.254).

## Security headers (use helmet)
`Content-Security-Policy`, `Strict-Transport-Security`, `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-Policy`