Security Review Context
Security Review Context
ClaudeChatGPT
Health
0/100
β² 19
π 85 copies
Trigger Phrase
Security review this
Prompt
130 words## Security Review Standards
When reviewing code or architecture for security, always check:
**Authentication & Authorisation**
- Is every endpoint authenticated?
- Is authorisation checked per resource, not just per route?
- Are JWTs validated fully (signature, expiry, issuer, audience)?
**Input Handling**
- Is all user input validated server-side (not just client-side)?
- Are SQL queries parameterised (no string interpolation)?
- Are file uploads validated for type, size, and content?
**Secrets & Config**
- Are secrets in environment variables, not code?
- Are internal URLs and service names excluded from client bundles?
- Is error output sanitised (no stack traces to end users)?
**Dependencies**
- Are dependencies pinned to exact versions in production?
- Is there a process to respond to CVEs?
Rate each category: PASS / WARN / FAIL. List specific findings under each.
When reviewing code or architecture for security, always check:
**Authentication & Authorisation**
- Is every endpoint authenticated?
- Is authorisation checked per resource, not just per route?
- Are JWTs validated fully (signature, expiry, issuer, audience)?
**Input Handling**
- Is all user input validated server-side (not just client-side)?
- Are SQL queries parameterised (no string interpolation)?
- Are file uploads validated for type, size, and content?
**Secrets & Config**
- Are secrets in environment variables, not code?
- Are internal URLs and service names excluded from client bundles?
- Is error output sanitised (no stack traces to end users)?
**Dependencies**
- Are dependencies pinned to exact versions in production?
- Is there a process to respond to CVEs?
Rate each category: PASS / WARN / FAIL. List specific findings under each.
Install Instructions
Paste before any security review task. Works best with Claude Opus for complex architecture reviews.
Test It
Test command:
Ask it to review a simple Express route that has SQL injection
Expected output:
Should flag SQL injection under Input Handling as FAIL
Pass criteria:
- Input Handling rated FAIL. SQL injection identified specifically. Fix suggested.
β οΈ Guardrails
- This is a checklist aid, not a replacement for a professional security audit.