SecurityUserv7FreePublic

OWASP Security Best Practices

OWASP Security Best Practices: updated for OWASP Top 10:2025 with concrete supply-chain controls (SBOM, SCA, lockfile audit), Axios & LiquidJS incident mitigations, and PortSwigger emergent-attack hardening.

LoopVerified7 sources · Updated Apr 9, 2026

Run in sandbox

Content

OWASP Security Best Practices

Systematic secure-coding defaults for web applications grounded in the OWASP Top 10:2025 and ASVS. Covers input validation, output encoding, authentication hardening, authorization enforcement, cryptographic hygiene, dependency & supply-chain management, and security review + incident-response workflows.

When to use

Starting a new web application or API and need a security baseline
Reviewing an existing codebase for hardening opportunities
Adding user-facing forms, file uploads, or payment flows
Preparing for a security audit or penetration test
Onboarding a team to secure-coding standards

When NOT to use

Pure static marketing sites with zero user input — reach for CSP headers only
Embedded firmware or kernel-level security — reach for platform-specific hardening guides
Threat modeling (use the security-threat-model skill instead)

Core concepts

Defense in depth: multiple overlapping controls so no single failure is catastrophic
Least privilege: every component gets the minimum permissions it needs
Fail secure: errors deny access by default, never fail open
Input validation: allowlist-first validation at every trust boundary
Output encoding: context-aware encoding prevents injection in HTML, JS, SQL, URLs
Secure defaults: ship with the strictest config; relax intentionally

OWASP Top 10:2025 quick reference

Update: the OWASP Top 10 was revised for 2025. Use the Top 10:2025 labels and guidance in risk assessments and checklists.

OWASP Security Best Practices · Loop · Loop

← Back to skills

SecurityUserv7FreePublic

OWASP Security Best Practices

LoopVerified7 sources · Updated Apr 9, 2026

Run in sandbox

Content

OWASP Security Best Practices

When to use

Starting a new web application or API and need a security baseline
Reviewing an existing codebase for hardening opportunities
Adding user-facing forms, file uploads, or payment flows
Preparing for a security audit or penetration test
Onboarding a team to secure-coding standards

When NOT to use

Pure static marketing sites with zero user input — reach for CSP headers only
Embedded firmware or kernel-level security — reach for platform-specific hardening guides
Threat modeling (use the security-threat-model skill instead)

Core concepts

Defense in depth: multiple overlapping controls so no single failure is catastrophic
Least privilege: every component gets the minimum permissions it needs
Fail secure: errors deny access by default, never fail open
Input validation: allowlist-first validation at every trust boundary
Output encoding: context-aware encoding prevents injection in HTML, JS, SQL, URLs
Secure defaults: ship with the strictest config; relax intentionally

OWASP Top 10:2025 quick reference

Update: the OWASP Top 10 was revised for 2025. Use the Top 10:2025 labels and guidance in risk assessments and checklists.

#	2025 Risk	Primary defense
A01	Broken Access Control	RBAC + row-level security + server-side checks
A02	Security Misconfiguration	Hardened defaults, minimized permissions, automated config drift detection
A03	Software Supply Chain Failures	SBOM, reproducible builds, SCA, frozen lockfiles, CI gating
A04	Cryptographic Failures	TLS everywhere, modern algorithms, secure key storage
A05	Injection	Parameterized queries, typed validation, output encoding
A06	Insecure Design	Threat modeling, abuse stories, secure-by-design requirements
A07	Authentication Failures	MFA, secure session handling, anti-automation controls
A08	Software or Data Integrity Failures	Signed artifacts, integrity checks in CI/CD
A09	Security Logging & Alerting Failures	Structured logs, monitoring, alerting on anomalies
A10	Mishandling of Exceptional Conditions	Safe error-handling, no sensitive info in error messages

Lockfiles & reproducible installs
- Keep a single source-of-truth lockfile (package-lock.json / pnpm-lock.yaml / yarn.lock) in the repo.
- CI: use reproducible installs and freeze behavior:
  - npm: npm ci --prefer-offline --no-audit --ignore-scripts
  - pnpm: pnpm install --frozen-lockfile --ignore-scripts
  - yarn: yarn install --immutable --ignore-scripts
- Use --ignore-scripts when the build does not require lifecycle scripts to run during package installation to reduce exposure to malicious postinstall hooks. (Be aware: some legitimate build flows rely on lifecycle scripts; test builds in hermetic environments before enabling.)
SBOM (Software Bill of Materials)
- Generate an SBOM for every build and attach it to release artifacts (CycloneDX or SPDX):
  - syft packages dir:. -o cyclonedx > sbom.cyclonedx.json
SCA & scanning in CI
- Run SCA tools in CI (Snyk, GitHub Dependabot, npm audit, pnpm audit) and gate merges on no new high/critical findings.
- Example gate: snyk test || exit 1 or pnpm audit --level=high && exit 1.
Disallow or audit package lifecycle scripts in production builds
- Avoid running untrusted lifecycle scripts during production builds; prefer building inside hermetic containers that do not execute package scripts.
Curated dependency allowlist & publishing hygiene
- For critical builds, maintain an allowlist of approved packages and versions. Require 2FA for maintainer accounts that can publish critical packages.
- Minimize publishing permissions and enforce separation-of-duty: no single person should be able to write and promote to production without oversight.
Artifact signing & integrity checks
- Sign release artifacts and verify signatures during deployment to mitigate tampered releases (A08 mitigation).
Lockfile auditing & CI runner hardening
- Scan lockfiles for unexpected versions during release. Avoid running untrusted third-party workflows on privileged runners.
Incident response for supply-chain compromise (operational steps)
1. Identify exposure: audit lockfiles and dependency trees to find where malicious versions were installed. Example commands:
  - npm ls axios@1.14.1 || true
  - npm ls axios@0.30.4 || true
  - grep -nE "axios["'@].*(1\\.14\\.1|0\\.30\\.4)" package-lock.json yarn.lock pnpm-lock.yaml || true
2. Contain: suspend affected CI jobs and isolate ephemeral runners; rotate runner tokens and secrets.
3. Eradicate: rebuild images from known-good lockfiles or pinned safe versions; prefer builds from signed artifacts or commit hashes predating the malicious publish.
4. Rotate secrets that the compromised runner or build could access and revoke exposed credentials.
5. Hunt for persistence: scan artifact storage, container registries, and deployed hosts for postinstall artifacts or network indicators.
6. Notify stakeholders and publish IOCs internally (hashes, C2 domains) to speed detection — vendors like Snyk publish IOCs in advisories.

Activity

ActiveDaily · 9:00 AM7 sources

Automation & run history

Automation status and run history. Only the owner can trigger runs or edit the schedule.

View automation desk

Next runin 4h

ScheduleDaily · 9:00 AM

Runs this month30

Latest outcomev12

April 2026

OWASP Security Best Practices refresh

Daily · 9:00 AM30 runsin 4h

Automation brief

Scan GitHub Security Advisories for critical npm CVEs. Check Snyk blog for dependency vulnerability trends. Monitor PortSwigger for new web-attack techniques. Update the secure-coding checklist, dependency-audit workflow, and incident-response patterns.

Latest refresh trace

Reasoning steps, source results, and the diff that landed.

Apr 18, 2026 · 9:28 AM

triggerAutomation

editoropenai/gpt-5-mini

duration115.5s

statussuccess

sources discovered+1

Revision: v12

This update incorporates confirmed details from the Snyk advisory on the Axios npm compromise (affected releases axios@1.14.1 and axios@0.30.4, malicious dependency plain-crypto-js@4.2.1 and C2 indicators), affirms OWASP Top 10:2025 guidance on supply-chain failures (A03), tightens header-sanitization and IMDS egress-block recommendations, and cites PortSwigger 2025 research for emergent attack patterns.

Added explicit Snyk SNYK-JS-AXIOS-15850650 references and IoCs; rewrote supply-chain controls and incident playbook with operational commands; added header-sanitization and egress-blocking guidance tied to CVE-2026-40175; cited PortSwigger Top 10:2025 and OWASP Top 10:2025; preserved existing template-engine and dev-server hardening advice.

Agent steps

Step 1Started scanning 9 sources.

Step 2GitHub Security Advisories: 12 fresh signals captured.

Step 3Snyk Blog: 5 fresh signals captured.

Step 4PortSwigger Research: 12 fresh signals captured.

Step 5OWASP: No fresh signals found.

Step 6Krebs on Security: 10 fresh signals captured.

Step 7OWASP Top 10: 12 fresh signals captured.

Step 8NVD - Recent CVEs: 12 fresh signals captured.

Step 9Snyk Blog: 12 fresh signals captured.

Step 10GitHub Security Advisories: 12 fresh signals captured.

Step 11Agent is rewriting the skill body from the fetched source deltas.

Step 12Agent discovered 1 new source(s): PortSwigger Research.

Step 13v12 is live with body edits.

Sources

GitHub Security Advisoriesdone

12 fresh signals captured.

Sign up OpenClaw: Webchat media embedding enforces local-root containment for tool-result files Remote Code Execution (RCE) via String Literal Injection into math-codegen

Snyk Blogdone

5 fresh signals captured.

Governing Security in the Age of Infinite Signal – From Discovery to Control Secure What Matters: Scaling Effortless Container Security for the AI Era Building AI Security with Our Customers: 5 Lessons from Evo’s Design Partner Program

PortSwigger Researchdone

12 fresh signals captured.

Top 10 web hacking techniques of 2025 Top 10 web hacking techniques of 2025: call for nominations Document My Pentest: you hack, the AI writes it up!

OWASPdone

No fresh signals found.

Krebs on Securitydone

10 fresh signals captured.

Patch Tuesday, April 2026 Edition Russia Hacked Routers to Steal Microsoft Office Tokens Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

OWASP Top 10done

12 fresh signals captured.

en - English Introduction About OWASP

NVD - Recent CVEsdone

12 fresh signals captured.

NVD Dashboard News and Status Updates Visualizations

Snyk Blogdone

12 fresh signals captured.

Read now Read now Read now

GitHub Security Advisoriesdone

12 fresh signals captured.

Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients pretalx vulnerable to stored cross-site scripting in organizer search typeahead

Diff preview

- Input validation: allowlist-first validation at every trust boundary

- Output encoding: context-aware encoding prevents injection in HTML, JS, SQL, URLs

- Secure defaults: ship with the strictest config; relax intentionally

−

- HTTP header sanitization: validate/sanitize header values before writing to sockets to prevent CRLF/SMUGGLING/SSRF gadget chains (see Axios advisory, CVE-2026-40175)

- HTTP header sanitization: validate/sanitize header values before writing to sockets to prevent CRLF/SMUGGLING/SSRF gadget chains

### OWASP Top 10:2025 quick reference

@@ −43 +43 @@

| A09 | Security Logging & Alerting Failures | Structured logs, monitoring, alerting on anomalies |

| A10 | Mishandling of Exceptional Conditions | Safe error-handling, no sensitive info in error messages |

−References: OWASP Top 10:2025 (https://owasp.org/Top10/2025/)

+References: OWASP Top 10:2025 — https://owasp.org/Top10/2025/

## Workflow

@@ −55 +55 @@

### Step 2: Harden HTTP headers

−

Apply strict header validation and common security headers. In addition to HSTS, CSP, X-Content-Type-Options, Referrer-Policy, explicitly validate header values before writing them to sockets to prevent CRLF/SMUGGLING payloads and header-injection gadget chains. Example (conceptual):

Apply strict header validation and common security headers. In addition to HSTS, CSP, X-Content-Type-Options, Referrer-Policy, explicitly validate header values before writing them to sockets to prevent CRLF/SMUGGLING payloads and header-injection gadget chains.

+Practical rules:

- Reject header values containing CR or LF characters: if (/\r|\n/.test(value)) reject

- Normalize header names and canonicalize values before merging

- When merging user-supplied config into request headers, sanitize or drop unexpected keys

−

(See Axios advisory CVE-2026-40175 for a concrete gadget chain that escalates prototype pollution into cloud metadata exfiltration and IMDSv2 bypass via unsanitised header values in Axios. Upgrade to patched versions and sanitize headers.)

Practical egress-block sample (CI/build isolation):

- Cloud: add an egress rule that denies 169.254.169.254/32 from build subnets

@@ −80 +79 @@

### Step 5: Dependency & supply-chain management (detailed, updated)

−

Why update: OWASP Top 10:2025 elevated supply-chain issues to A03 and recent incidents demonstrate active exploitation of publishing workflows, maintainer account compromises, and lifecycle-script abuse (Axios compromise is a recent example).

Why update: OWASP Top 10:2025 elevated supply-chain issues to A03 and recent incidents demonstrate active exploitation of publishing workflows, maintainer account compromises, and lifecycle-script abuse. The March 31, 2026 Axios incident is a concrete example: malicious versions axios@1.14.1 and axios@0.30.4 were briefly published and contained a postinstall hook that pulled a hidden dependency (plain-crypto-js@4.2.1) which executed a cross-platform RAT during installation. The malicious releases were removed from npm within hours; see Snyk advisory for IOCs and indicators.

Concrete, operational controls (copy-paste checklist):

Diff▶

+Generated: 2026-04-09T09:26:34.635Z

Summary: This revision brings the skill up-to-date with OWASP Top 10:2025 and recent high-impact signals: the Axios npm supply-chain compromise (Mar 2026) and LiquidJS arbitrary file-read advisory (Apr 2026). It tightens dependency and CI controls (lockfile freezes, --ignore-scripts examples), adds concrete incident-response commands, and documents dev-server/template-engine mitigations aligned with PortSwigger research.

−Generated: 2026-04-07T09:26:34.958Z

What changed: Added/expanded dependency & supply-chain management section with SBOM, CI commands, and incident-response playbook; added dev-server and template-engine hardening referencing LiquidJS advisory; added concrete lockfile/`npm ls` audit commands; updated references to OWASP Top 10:2025 and PortSwigger Top 10 research.

−

Summary: This update aligns the skill with OWASP Top 10:2025 and recent supply-chain incidents. It adds an explicit dependency & supply-chain management section, concrete CI gating and SBOM guidance, and incident-response steps (inspired by the March 2026 Axios compromise). It also incorporates PortSwigger findings on parser differentials and dev-server advisories into edge-case guidance.

−

What changed: Added: Dependency & supply-chain management section, incident-response checklist, dependency-audit workflow (SBOM + CI gating). Updated: OWASP Top 10 quick reference to 2025 labels; Edge cases to include dev-server exposure and parser-differential attacks. Removed: minor fluff in the "Research-backed changes" placeholder and replaced with concrete signals.

Body changed: yes

Editor: openai/gpt-5-mini

−

Changed sections: OWASP Top 10 quick reference, Step 5: Dependency & supply-chain management, Edge cases and gotchas, Dependency-audit workflow, Incident response quick checklist, Research-backed changes

Changed sections: Dependency & supply-chain management, Dev-server and template engine hardening, Workflow, Incident response quick checklist, Fresh signals used for this refresh

Experiments:

+- Integrate automated SBOM comparison checks between builds to detect silent changes

+- Simulate supply-chain incidents in tabletop exercises and publish scripted playbooks

−- Automated SBOM-diff checks between builds to detect silent supply-chain changes

+- Prototype CI checks to disable lifecycle scripts for production builds unless explicitly whitelisted

−- Tabletop supply-chain incident simulation and scripted playbooks for CI/runner hardening

Signals:

- LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header (GitHub Security Advisories)

+- Sign in (GitHub Security Advisories)

- Sign up (GitHub Security Advisories)

−- Vite: `server.fs.deny` bypassed with queries (GitHub Security Advisories)

- LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read (GitHub Security Advisories)

−- OpenClaw's complex interpreter pipelines could skip exec script preflight validation (GitHub Security Advisories)

−- Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling (GitHub Security Advisories)

OWASP Security Best Practices

Content

OWASP Security Best Practices

When to use

When NOT to use

Core concepts

OWASP Top 10:2025 quick reference

OWASP Security Best Practices

Content

OWASP Security Best Practices

When to use

When NOT to use

Core concepts

OWASP Top 10:2025 quick reference

Workflow

Step 1: Define a validation layer with Zod (or equivalent)

Step 2: Harden HTTP headers

Step 3: Sanitize output encoding

Step 4: Enforce parameterized queries

Step 5: Dependency & supply-chain management (detailed, updated)

Step 6: Secure-by-design & threat modeling

Step 7: Runtime protections

Examples and defensive checks (concrete)

Dev-server and template engine hardening

Decision tree (concise)

Edge cases and gotchas

Evaluation criteria

Dependency-audit workflow (concrete)

Incident response quick checklist (supply-chain focus)

Research-backed changes in this revision

Fresh signals used for this refresh

Next edits

Experiments / future work

Activity

Automation & run history

Latest refresh trace

Research engine

Sources