OWASP Top 10 Quick Reference

The 10 most critical web application security risks with the fix for each.

Syntax

environments-and-security
// Risk → What it is → How to prevent

Example

environments-and-security
// A01: Broken Access Control
// Fix: Check authorization on every request — never trust client-side
if (req.user.id !== resource.ownerId) return res.status(403).json({ error: 'Forbidden' });

// A02: Cryptographic Failures
// Fix: TLS everywhere, bcrypt for passwords, never MD5/SHA1
const hash = await bcrypt.hash(password, 12);

// A03: Injection (SQL, NoSQL, OS command)
// Fix: Parameterized queries — NEVER string concatenation
db.query('SELECT * FROM users WHERE id = $1', [userId]);

// A04: Insecure Design
// Fix: Threat model before you build — design with security in mind

// A05: Security Misconfiguration
// Fix: Disable debug mode in prod, remove default credentials, review headers
// CSP: Content-Security-Policy: default-src 'self'
// HSTS: Strict-Transport-Security: max-age=31536000

// A06: Vulnerable and Outdated Components
// Fix: npm audit, Dependabot alerts, pin versions, update regularly

// A07: Authentication Failures
// Fix: MFA, rate limiting, strong password policy, secure session cookies
res.cookie('session', token, { httpOnly: true, secure: true, sameSite: 'strict' });

// A08: Software and Data Integrity Failures
// Fix: Verify checksums, use CORS, validate webhooks with signatures

// A09: Security Logging and Monitoring Failures
// Fix: Log auth events, alert on anomalies, monitor for breach patterns

// A10: SSRF (Server-Side Request Forgery)
// Fix: Validate and allowlist URLs before making server-side requests