SecurityUserv12FreePublic

OWASP Security Best Practices

Operational OWASP-aligned secure-coding baseline updated for Top 10:2025 and the March 2026 Axios supply-chain incident, adding concrete IoCs and CI mitigation steps.

LoopVerified10 sources · Updated 17h ago

Run in sandbox

Content

OWASP Security Best Practices

Systematic secure-coding defaults for web applications grounded in the OWASP Top 10:2025 and ASVS. Covers input validation, output encoding, authentication hardening, authorization enforcement, cryptographic hygiene, dependency & supply-chain management, and security review + incident-response workflows.

When to use

Starting a new web application or API and need a security baseline
Reviewing an existing codebase for hardening opportunities
Adding user-facing forms, file uploads, or payment flows
Preparing for a security audit or penetration test
Onboarding a team to secure-coding standards

When NOT to use

Pure static marketing sites with zero user input — reach for CSP headers only
Embedded firmware or kernel-level security — reach for platform-specific hardening guides
Threat modeling (use the security-threat-model skill instead)

Core concepts

Defense in depth: multiple overlapping controls so no single failure is catastrophic
Least privilege: every component gets the minimum permissions it needs
Fail secure: errors deny access by default, never fail open
Input validation: allowlist-first validation at every trust boundary
Output encoding: context-aware encoding prevents injection in HTML, JS, SQL, URLs
Secure defaults: ship with the strictest config; relax intentionally
HTTP header sanitization: validate/sanitize header values before writing to sockets to prevent CRLF/SMUGGLING/SSRF gadget chains

OWASP Security Best Practices · Loop · Loop

#	2025 Risk	Primary defense
A01	Broken Access Control	RBAC + row-level security + server-side checks
A02	Security Misconfiguration	Hardened defaults, minimized permissions, automated config drift detection
A03	Software Supply Chain Failures	SBOM, reproducible builds, SCA, frozen lockfiles, CI gating
A04	Cryptographic Failures	TLS everywhere, modern algorithms, secure key storage
A05	Injection	Parameterized queries, typed validation, output encoding
A06	Insecure Design	Threat modeling, abuse stories, secure-by-design requirements
A07	Authentication Failures	MFA, secure session handling, anti-automation controls
A08	Software or Data Integrity Failures	Signed artifacts, integrity checks in CI/CD
A09	Security Logging & Alerting Failures	Structured logs, monitoring, alerting on anomalies
A10	Mishandling of Exceptional Conditions	Safe error-handling, no sensitive info in error messages

Lockfiles & reproducible installs
- Keep a single source-of-truth lockfile (package-lock.json / pnpm-lock.yaml / yarn.lock) in the repo.
- CI: use reproducible installs and freeze behavior:
  - npm: npm ci --prefer-offline --no-audit --ignore-scripts
  - pnpm: pnpm install --frozen-lockfile --ignore-scripts
  - yarn: yarn install --immutable --ignore-scripts
- Use --ignore-scripts when the production build does not require lifecycle scripts to run during package installation to reduce exposure to malicious postinstall hooks. Test builds in hermetic environments before enabling.
SBOM (Software Bill of Materials)
- Generate an SBOM for every build and attach it to release artifacts (CycloneDX or SPDX):
  - syft packages dir:. -o cyclonedx > sbom.cyclonedx.json
SCA & scanning in CI
- Run SCA tools in CI (Snyk, GitHub Dependabot, npm audit, pnpm audit) and gate merges on no new high/critical findings.
- Example gate: snyk test || exit 1 or pnpm audit --level=high && exit 1.
Verify package provenance and integrity
- Where available, verify package signatures (in registries that support signing) or compare package tarball hashes before accepting new versions in gated builds.
- Consider caching vetted tarballs in an internal registry (Artifactory, Nexus, Verdaccio) for production builds.
Disallow or audit package lifecycle scripts in production builds
- Avoid running untrusted lifecycle scripts during production builds; prefer building inside hermetic containers that do not execute package scripts.
- If you must run lifecycle scripts, run them in an isolated step with restricted network access and short-lived credentials.
Curated dependency allowlist & publishing hygiene
- For critical builds, maintain an allowlist of approved packages and versions. Require 2FA for maintainer accounts that can publish critical packages.
- Minimize publishing permissions and enforce separation-of-duty for release promotions (use separate signing and publishing CI jobs with different credentials).
Artifact signing & integrity checks
- Sign release artifacts and verify signatures during deployment to mitigate tampered releases (A08 mitigation).
Lockfile auditing & CI runner hardening
- Scan lockfiles for unexpected versions during release. Avoid running untrusted third-party workflows on privileged runners; isolate ephemeral runners and rotate tokens regularly.
Incident response for supply-chain compromise (operational steps)
1. Identify exposure: audit lockfiles and dependency trees to find where malicious versions were installed. Example commands:
  - npm ls axios@1.14.1 || true
  - npm ls axios@0.30.4 || true
  - grep -nE "axios[\"'@].*(1\\.14\\.1|0\\.30\\.4)" package-lock.json yarn.lock pnpm-lock.yaml || true
2. Contain: suspend affected CI jobs and isolate ephemeral runners; rotate runner tokens and secrets.
3. Eradicate: rebuild images from known-good lockfiles or pinned safe versions; prefer builds from signed artifacts or commit hashes predating the malicious publish.
4. Rotate secrets that the compromised runner or build could access and revoke exposed credentials.
5. Hunt for persistence: scan artifact storage, container registries, and deployed hosts for postinstall artifacts or network indicators.
6. Notify stakeholders and publish IOCs internally (hashes, C2 domains) to speed detection — vendors like Snyk publish IOCs in advisories.

Activity

ActiveDaily · 9:00 AM10 sources

Automation & run history

Automation status and run history. Only the owner can trigger runs or edit the schedule.

View automation desk

Next runin 5h

ScheduleDaily · 9:00 AM

Runs this month30

Latest outcomev12

April 2026

OWASP Security Best Practices refresh

Daily · 9:00 AM30 runsin 5h

Automation brief

Scan GitHub Security Advisories for critical npm CVEs. Check Snyk blog for dependency vulnerability trends. Monitor PortSwigger for new web-attack techniques. Update the secure-coding checklist, dependency-audit workflow, and incident-response patterns.

Latest refresh trace

Reasoning steps, source results, and the diff that landed.

Apr 18, 2026 · 9:28 AM

triggerAutomation

editoropenai/gpt-5-mini

duration115.5s

statussuccess

sources discovered+1

Revision: v12

This update incorporates confirmed details from the Snyk advisory on the Axios npm compromise (affected releases axios@1.14.1 and axios@0.30.4, malicious dependency plain-crypto-js@4.2.1 and C2 indicators), affirms OWASP Top 10:2025 guidance on supply-chain failures (A03), tightens header-sanitization and IMDS egress-block recommendations, and cites PortSwigger 2025 research for emergent attack patterns.

Added explicit Snyk SNYK-JS-AXIOS-15850650 references and IoCs; rewrote supply-chain controls and incident playbook with operational commands; added header-sanitization and egress-blocking guidance tied to CVE-2026-40175; cited PortSwigger Top 10:2025 and OWASP Top 10:2025; preserved existing template-engine and dev-server hardening advice.

Agent steps

Step 1Started scanning 9 sources.

Step 2GitHub Security Advisories: 12 fresh signals captured.

Step 3Snyk Blog: 5 fresh signals captured.

Step 4PortSwigger Research: 12 fresh signals captured.

Step 5OWASP: No fresh signals found.

Step 6Krebs on Security: 10 fresh signals captured.

Step 7OWASP Top 10: 12 fresh signals captured.

Step 8NVD - Recent CVEs: 12 fresh signals captured.

Step 9Snyk Blog: 12 fresh signals captured.

Step 10GitHub Security Advisories: 12 fresh signals captured.

Step 11Agent is rewriting the skill body from the fetched source deltas.

Step 12Agent discovered 1 new source(s): PortSwigger Research.

Step 13v12 is live with body edits.

Sources

GitHub Security Advisoriesdone

12 fresh signals captured.

Sign up OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Remote Code Execution (RCE) via String Literal Injection into math-codegen

Snyk Blogdone

5 fresh signals captured.

Governing Security in the Age of Infinite Signal – From Discovery to Control Secure What Matters: Scaling Effortless Container Security for the AI Era Building AI Security with Our Customers: 5 Lessons from Evo’s Design Partner Program

PortSwigger Researchdone

12 fresh signals captured.

Top 10 web hacking techniques of 2025 Top 10 web hacking techniques of 2025: call for nominations Document My Pentest: you hack, the AI writes it up!

OWASPdone

No fresh signals found.

Krebs on Securitydone

10 fresh signals captured.

Patch Tuesday, April 2026 Edition Russia Hacked Routers to Steal Microsoft Office Tokens Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

OWASP Top 10done

12 fresh signals captured.

en - English Introduction About OWASP

NVD - Recent CVEsdone

12 fresh signals captured.

NVD Dashboard News and Status Updates Visualizations

Snyk Blogdone

12 fresh signals captured.

Read now Read now Read now

GitHub Security Advisoriesdone

12 fresh signals captured.

Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients pretalx vulnerable to stored cross-site scripting in organizer search typeahead

Diff preview

- Input validation: allowlist-first validation at every trust boundary

- Output encoding: context-aware encoding prevents injection in HTML, JS, SQL, URLs

- Secure defaults: ship with the strictest config; relax intentionally

−

- HTTP header sanitization: validate/sanitize header values before writing to sockets to prevent CRLF/SMUGGLING/SSRF gadget chains (see Axios advisory, CVE-2026-40175)

- HTTP header sanitization: validate/sanitize header values before writing to sockets to prevent CRLF/SMUGGLING/SSRF gadget chains

### OWASP Top 10:2025 quick reference

@@ −43 +43 @@

| A09 | Security Logging & Alerting Failures | Structured logs, monitoring, alerting on anomalies |

| A10 | Mishandling of Exceptional Conditions | Safe error-handling, no sensitive info in error messages |

−References: OWASP Top 10:2025 (https://owasp.org/Top10/2025/)

+References: OWASP Top 10:2025 — https://owasp.org/Top10/2025/

## Workflow

@@ −55 +55 @@

### Step 2: Harden HTTP headers

−

Apply strict header validation and common security headers. In addition to HSTS, CSP, X-Content-Type-Options, Referrer-Policy, explicitly validate header values before writing them to sockets to prevent CRLF/SMUGGLING payloads and header-injection gadget chains. Example (conceptual):

Apply strict header validation and common security headers. In addition to HSTS, CSP, X-Content-Type-Options, Referrer-Policy, explicitly validate header values before writing them to sockets to prevent CRLF/SMUGGLING payloads and header-injection gadget chains.

+Practical rules:

- Reject header values containing CR or LF characters: if (/\r|\n/.test(value)) reject

- Normalize header names and canonicalize values before merging

- When merging user-supplied config into request headers, sanitize or drop unexpected keys

−

(See Axios advisory CVE-2026-40175 for a concrete gadget chain that escalates prototype pollution into cloud metadata exfiltration and IMDSv2 bypass via unsanitised header values in Axios. Upgrade to patched versions and sanitize headers.)

Practical egress-block sample (CI/build isolation):

- Cloud: add an egress rule that denies 169.254.169.254/32 from build subnets

@@ −80 +79 @@

### Step 5: Dependency & supply-chain management (detailed, updated)

−

Why update: OWASP Top 10:2025 elevated supply-chain issues to A03 and recent incidents demonstrate active exploitation of publishing workflows, maintainer account compromises, and lifecycle-script abuse (Axios compromise is a recent example).

Why update: OWASP Top 10:2025 elevated supply-chain issues to A03 and recent incidents demonstrate active exploitation of publishing workflows, maintainer account compromises, and lifecycle-script abuse. The March 31, 2026 Axios incident is a concrete example: malicious versions axios@1.14.1 and axios@0.30.4 were briefly published and contained a postinstall hook that pulled a hidden dependency (plain-crypto-js@4.2.1) which executed a cross-platform RAT during installation. The malicious releases were removed from npm within hours; see Snyk advisory for IOCs and indicators.

Concrete, operational controls (copy-paste checklist):

Diff▶

+Generated: 2026-04-18T09:27:03.952Z

Summary: This update incorporates confirmed details from the Snyk advisory on the Axios npm compromise (affected releases axios@1.14.1 and axios@0.30.4, malicious dependency plain-crypto-js@4.2.1 and C2 indicators), affirms OWASP Top 10:2025 guidance on supply-chain failures (A03), tightens header-sanitization and IMDS egress-block recommendations, and cites PortSwigger 2025 research for emergent attack patterns.

−Generated: 2026-04-16T09:52:44.404Z

What changed: Added explicit Snyk SNYK-JS-AXIOS-15850650 references and IoCs; rewrote supply-chain controls and incident playbook with operational commands; added header-sanitization and egress-blocking guidance tied to CVE-2026-40175; cited PortSwigger Top 10:2025 and OWASP Top 10:2025; preserved existing template-engine and dev-server hardening advice.

−

Summary: This update tightens supply-chain controls and header-sanitization guidance in response to the March 2026 Axios supply-chain compromise and GitHub advisory/CVE on header-injection metadata exfiltration. It adds CI egress-block examples, NVD cross-check links, and an expanded incident-response checklist with IOCs and remediation steps.

−

What changed: Added CI egress-block sample and NVD CVE reference; expanded Dependency & supply-chain management section with operational controls and an incident playbook; added header-sanitization mitigations and prototype-pollution guidance; preserved and validated prior template-engine hardening notes.

Body changed: yes

Editor: openai/gpt-5-mini

−

Changed sections: Dependency & supply-chain management, Header-sanitization & prototype-pollution mitigation, Incident response quick checklist, Fresh signals used

Changed sections: Core concepts, Step 5: Dependency & supply-chain management (detailed, updated), Header-sanitization & prototype-pollution mitigation (new), Incident response quick checklist, Research-backed changes in this revision

Experiments:

+- Automate SBOM diff checks between consecutive builds to detect silent dependency swaps

- Create a CI job template that performs hermetic installs with --ignore-scripts and verifies package tarball hashes before allowing production releases

−- Automated SBOM-diff checks between successive builds to detect silent dependency swaps

- Run tabletop simulations of a supply-chain compromise using the Axios incident as a scenario and measure mean-time-to-detect

−- Tabletop supply-chain incident simulations with scripted CI rollback playbooks

−- Prototype a CI runner egress blocklist that auto-blocks IMDS ranges unless explicitly whitelisted

Signals:

+- Snyk AI Security Platform (Snyk Blog)

+- Read now (Snyk Blog)

−

- pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition) (GitHub Security Advisories)

+- Read now (Snyk Blog)

−

- PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code (GitHub Security Advisories)

−- MsQuic has a Remote Elevation of Privilege Vulnerability (GitHub Security Advisories)

−- Sign up (GitHub Security Advisories)

Update history8▶

17h ago4 sources

2d ago4 sources

This update tightens supply-chain controls and header-sanitization guidance in response to the March 2026 Axios supply-chain compromise and GitHub advisory/CVE on header-injection metadata exfiltration. It adds CI egress-block examples, NVD cross-check links, and an expanded incident-response checklist with IOCs and remediation steps.

4d ago4 sources

This update tightens supply-chain and header-sanitization guidance using primary advisories: Snyk's Axios supply-chain incident (SNYK-JS-AXIOS-15850650) and GitHub advisory CVE-2026-40175. It adds concrete IOCs, commands for lockfile scanning, and operational CI mitigations (freeze installs, disable lifecycle scripts in production builds, block IMDS from CI runners).

5d ago4 sources

This update tightens supply-chain and header-sanitization guidance using Snyk and GitHub advisories from March–April 2026. Removed an imprecise patch-version claim for Axios and replaced it with advisory-driven pinning/upgrade guidance, and added concrete incident-response commands and mitigations.

Apr 11, 20264 sources

This update adds explicit operational mitigations for header injection and prototype-pollution gadget chains (CVE-2026-40175 / Axios advisory), expands the supply-chain incident playbook using Snyk's Axios advisory as a model, and reinforces OWASP Top 10:2025 controls and PortSwigger emergent-attack guidance.

Apr 9, 20264 sources

This revision brings the skill up-to-date with OWASP Top 10:2025 and recent high-impact signals: the Axios npm supply-chain compromise (Mar 2026) and LiquidJS arbitrary file-read advisory (Apr 2026). It tightens dependency and CI controls (lockfile freezes, --ignore-scripts examples), adds concrete incident-response commands, and documents dev-server/template-engine mitigations aligned with PortSwigger research.

Apr 7, 20264 sources

This update aligns the skill with OWASP Top 10:2025 and recent supply-chain incidents. It adds an explicit dependency & supply-chain management section, concrete CI gating and SBOM guidance, and incident-response steps (inspired by the March 2026 Axios compromise). It also incorporates PortSwigger findings on parser differentials and dev-server advisories into edge-case guidance.

Apr 5, 20264 sources

OWASP Security Best Practices agent run was interrupted: Free credits temporarily have rate limits in place due to abuse. We are working on a resolution. Try again later, or pay for credits which continue to have unrestricted access. Pur

Content

OWASP Security Best Practices

When to use

When NOT to use

Core concepts

Content

OWASP Security Best Practices

When to use

When NOT to use

Core concepts

OWASP Top 10:2025 quick reference

Workflow

Step 1: Define a validation layer with Zod (or equivalent)

Step 2: Harden HTTP headers

Step 3: Sanitize output encoding

Step 4: Enforce parameterized queries

Step 5: Dependency & supply-chain management (detailed, updated)

Header-sanitization & prototype-pollution mitigation (new)

Step 6: Secure-by-design & threat modeling

Step 7: Runtime protections

Examples and defensive checks (concrete)

Dev-server and template engine hardening

Decision tree (concise)

Edge cases and gotchas

Evaluation criteria

Dependency-audit workflow (concrete)

Incident response quick checklist (supply-chain & header-injection focus)

Research-backed changes in this revision

Fresh signals used for this refresh

Next edits

Experiments / future work

Agent docs

Codex — OWASP Security Best Practices

Environment

When this skill is active

Tool usage

Testing expectations

Common failure modes

Output format

Activity

Automation & run history

Latest refresh trace

Research engine

Sources