The Security Checklist We Run on Every Production Deployment

Authentication & Authorisation

✓ Passwords hashed with bcrypt (cost factor ≥12) or Argon2, never stored in plain text or reversible encryption. ✓ JWT tokens have expiry set; refresh token rotation implemented. ✓ Password reset tokens are single-use and expire within 1 hour. ✓ Rate limiting on all auth endpoints (login, register, password reset). ✓ Account lockout after N failed attempts with exponential backoff. ✓ All API endpoints verify authorisation — not just authentication. ✓ Role-based access control tested with negative test cases (users cannot access resources they don't own). ✓ Admin routes protected by IP allowlist or separate auth layer.

Input Validation & Injection

✓ All database queries use parameterised statements or ORM — zero string concatenation in SQL. ✓ User input sanitised before rendering in HTML (XSS prevention). ✓ Content-Security-Policy header configured and tested. ✓ File upload validation: type checking by content (not extension), size limits, storage outside web root. ✓ XML/JSON parsing libraries protected against XXE attacks. ✓ Server-Side Request Forgery (SSRF) protection on any endpoint that makes outbound HTTP requests.

Secrets & Configuration

✓ No secrets in source code, ever. Verified with git-secrets or similar pre-commit hook. ✓ All secrets stored in environment variables or secrets manager (AWS Secrets Manager, HashiCorp Vault). ✓ Production secrets rotated from development secrets — different database passwords, API keys, JWT secrets. ✓ .env files in .gitignore and verified absent from git history. ✓ Third-party API keys have minimum required permissions.

Transport Security

✓ HTTPS enforced everywhere; HTTP redirects to HTTPS. ✓ HSTS header set with includeSubDomains and preload. ✓ TLS 1.2 minimum; TLS 1.3 preferred. ✓ Certificates auto-renewed. ✓ Sensitive data encrypted in transit between internal services (not just external). ✓ Database connections use TLS.

Infrastructure Hardening

✓ Principle of least privilege on all IAM roles and policies. ✓ Security groups configured to allow only required ports and sources. ✓ S3 buckets: public access blocked unless explicitly required; bucket policies audited. ✓ Database not publicly accessible; accessible only from application subnet. ✓ Logging enabled: CloudTrail, VPC Flow Logs, application logs to immutable storage. ✓ Unused ports, services, and packages removed from server images.

Dependencies & Supply Chain

✓ npm audit / pip audit / bundle audit run; critical and high vulnerabilities resolved. ✓ Dependency versions pinned (package-lock.json / requirements.txt committed). ✓ Automated vulnerability scanning in CI pipeline (Dependabot or Snyk). ✓ Docker base images from official/verified sources, regularly updated. ✓ Software Bill of Materials (SBOM) generated for regulated industries.