OWASP Top 10

The 10 most critical web application security risks. Every developer should know and actively defend against these vulnerabilities.

Syntax

environments-and-security
// Know, detect, prevent

Example

environments-and-security
// A01: Broken Access Control
//   → Always check ownership: WHERE user_id = req.user.id

// A02: Cryptographic Failures
//   → Use bcrypt for passwords, TLS everywhere, rotate secrets

// A03: Injection (SQL, NoSQL, Command)
//   → Use parameterized queries, never concatenate user input

// A04: Insecure Design
//   → Threat model before coding, not after

// A05: Security Misconfiguration
//   → Disable debug in prod, remove default accounts

// A06: Vulnerable Components
//   → Run npm audit weekly, keep deps updated

// A07: Auth Failures
//   → Rate-limit logins, enforce MFA, expire sessions

// A08: Data Integrity Failures
//   → Verify webhook signatures, use SRI for CDN assets

// A09: Logging Failures
//   → Log auth events, never log passwords/tokens

// A10: SSRF
//   → Validate & allowlist URLs before server-side fetches