Quality

Security Review Template

A template for conducting a security review covering authentication, authorization, input validation, injection prevention, secrets management, and dependency auditing.

Template Preview

Copy and use in your project

Security review for [Feature/Module/Release]

As a security-conscious developer, I want a thorough security review of this feature so that I can be confident it does not introduce vulnerabilities that could compromise user data or system integrity.

choreCRITICAL8 pts

Description

Perform a comprehensive security review of [feature/module] to identify and mitigate vulnerabilities before release. **Review Scope:** - Authentication: Session management, token expiry, credential storage (bcrypt cost factor) - Authorization: RBAC enforcement, IDOR prevention, privilege escalation checks - Input validation: Zod schemas on all API inputs, request body size limits - Injection: SQL injection (parameterized queries via Prisma), XSS (output encoding), command injection (execFileSync with arrays) - Secrets: No hardcoded secrets, environment variable usage, timing-safe comparison - Dependencies: `npm audit` for known vulnerabilities - CSRF/CORS: Proper origin validation - Rate limiting: Brute force protection on auth routes - Error handling: No sensitive data in error responses (sanitizeError) **Severity Classification:** Critical (immediate fix), High (fix before release), Medium (fix in next sprint), Low (backlog)

Acceptance Criteria

Given the security review has been conducted

When all critical and high severity issues are identified

Then each issue has a documented remediation plan and critical issues are fixed before the feature ships

Given API endpoints are reviewed for authorization

When a user attempts to access a resource belonging to another user or project

Then the request is rejected with a 403 or 404 response and no data is leaked

Given all API inputs are reviewed

When malicious input is submitted (SQL injection strings, XSS payloads, oversized bodies)

Then the input is rejected by Zod validation or sanitized before processing, and no injection succeeds

Given `npm audit` is run on the project

When the audit completes

Then there are zero critical or high severity vulnerabilities in production dependencies

Given error responses are reviewed

When an internal error occurs in any API route

Then the response contains a generic error message and no internal paths, stack traces, tokens, or database details are exposed

Import directly into Codepylot

Skip the copy-paste. Codepylot has built-in templates you can use with one click, plus AI that generates even richer stories from your ideas.

Try Codepylot Free

Other Templates

User StoryBug ReportFeature RequestAPI EndpointAuth PageLanding PageCRUD FeatureBilling IntegrationDatabase MigrationTesting SuiteCI/CD PipelinePerformance OptimizationAccessibility AuditDocumentation

Ready to build your AI agent workforce?

Describe what you want. Your agents write the code. You stay in control.

Get Started Free