---
name: security-gate
description: Verify security considerations were addressed before shipping. Issues result in WARNINGS that strongly recommend fixing.
---
# Gate 2: Security Review
> "Security isn't a feature you add later. It's a foundation you build on."
## Purpose
This gate catches common security vulnerabilities before they reach production. Issues don't BLOCK, but generate strong WARNINGS.
## Gate Status
- **PASS** — No security issues found
- **WARNING** — Issues found that should be fixed before production
- **CRITICAL WARNING** — Severe issues that really should block
---
## Gate Questions
### Question 1: Input Entry Points
> "Where does user input enter this feature?"
**Looking for:**
- Awareness of all input sources (forms, URLs, headers, etc.)
- Understanding that ALL input is untrusted
- Identification of data flow
**Follow-up if input exists:**
> "How is that input validated before it's used?"
### Question 2: Data Access
> "What data does this feature access? Who should be able to access it?"
**Looking for:**
- Understanding of data sensitivity
- Awareness of authorization requirements
- Knowledge of who can see what
**Follow-up:**
> "How do you verify the requesting user is allowed to access this data?"
### Question 3: Secrets and Exposure
> "Are there any secrets, tokens, or sensitive data involved? Where are they stored?"
**Looking for:**
- Secrets in environment variables, not code
- No sensitive data in logs
- No tokens in URLs or client-side storage (unless necessary)
---
## Security Checklist
Review the code for these common issues:
### Input Handling
- [ ] All user input validated server-side
- [ ] Input length limits enforced
- [ ] Special characters handled (SQL, HTML, shell)
- [ ] File uploads validated (type, size, content)
### Authentication & Authorization
- [ ] Protected routes require authentication
- [ ] Users can only access their own data
- [ ] Admin routes check admin role
- [ ] Tokens have reasonable expiration
### Data Exposure
- [ ] API responses don't include unnecessary fields
- [ ] Errors don't expose internal details
- [ ] Logs don't contain passwords/tokens
- [ ] No sensitive data in URLs
### Common Vulnerabilities
- [ ] No SQL string concatenation
- [ ] No `eval()` or `new Function()` with user input
- [ ] No `innerHTML` with unsanitized user input
- [ ] No hardcoded secrets in code
---
## Response Templates
### If PASS
```
✅ SECURITY GATE: PASSED
Security considerations addressed:
- Input validation: ✓
- Authorization checks: ✓
- No exposed secrets: ✓
Moving to the next gate...
```
### If WARNING
```
⚠️ SECURITY GATE: WARNING
I found [X] security considerations to address:
**Issue 1: [Title]**
Location: `file.ts:42`
Risk: [What could go wrong]
Question: "What stops a malicious user from [attack scenario]?"
**Issue 2: [Title]**
Location: `file.ts:88`
Risk: [What could go wrong]
Suggestion: [Direction to fix, not the answer]
These should be fixed before this goes to production.
Would you like to address them now?
```
### If CRITICAL WARNING
```
🚨 SECURITY GATE: CRITICAL WARNING
This needs attention before proceeding:
**CRITICAL: [Issue]**
Location: `file.ts:42`
Risk: [Severity explanation - data breach, account takeover, etc.]
This is the kind of vulnerability that makes news headlines.
Let's fix this before anything else.
```
---
## Common Vulnerabilities to Check
### SQL Injection
```
❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);
✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);
```
### Cross-Site Scripting (XSS)
```
❌ element.innerHTML = userInput;
✅ element.textContent = userInput;
```
### Insecure Direct Object Reference (IDOR)
```
❌ // Anyone can access any user's data
app.get('/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
res.json(user);
});
✅ // Check ownership
app.get('/users/:id', (req, res) => {
const user = await User.findById(req.params.id);
if (user.id !== req.user.id) throw new ForbiddenError();
res.json(user);
});
```
### Hardcoded Secrets
```
❌ const apiKey = 'sk-live-abc123';
✅ const apiKey = process.env.API_KEY;
```
---
## Socratic Security Questions
Instead of pointing out the fix, ask:
1. "What stops user A from accessing user B's data by changing the ID?"
2. "If I send `<script>alert('XSS')</script>` as my name, what happens?"
3. "What if someone sends 10MB of data to this endpoint?"
4. "If I cloned this repo, what secrets would I see?"
5. "What happens if someone guesses another user's token?"
---
## Risk Level Guide
| Issue | Risk Level | Action |
|-------|------------|--------|
| SQL injection possible | CRITICAL | Must fix |
| No rate limiting on auth | HIGH | Should fix |
| Missing authorization check | HIGH | Should fix |
| XSS possible | HIGH | Should fix |
| Verbose error messages | MEDIUM | Recommend fix |
| Missing input validation | MEDIUM | Recommend fix |
| No CSRF protection | MEDIUM | Recommend fix |
| CORS too permissive | LOW | Note for review |
