Security Prompts for Your AI Coding Projects

Review my authentication implementation for security vulnerabilities. Check for: plaintext password storage (must use bcrypt/scrypt/argon2 with cost factor >= 10), missing rate limiting on login endpoints, JWT tokens without expiration or with expiration longer than 24 hours, session tokens that persist after logout, password reset links that do not expire within 1 hour, and missing CSRF protection on login forms. List each issue found with severity (critical/high/medium) and the exact code change needed to fix it.

Audit my password reset flow end to end. Verify that: reset tokens are cryptographically random (minimum 32 bytes), tokens expire within 1 hour of generation, tokens are single-use and invalidated after consumption, the reset endpoint does not reveal whether an email exists in the system, rate limiting prevents brute-force token guessing, and the new password is validated against complexity requirements before being accepted. Show me the current implementation alongside the secure version for each issue.

Check my multi-factor authentication implementation. Verify that: TOTP secrets are stored encrypted at rest, backup codes are single-use and hashed, MFA cannot be bypassed by directly accessing API endpoints, the MFA enrollment flow requires re-authentication, and there is no way to downgrade from MFA to password-only without administrator approval. If MFA is not implemented, recommend the simplest secure implementation for my current stack.

Review all API endpoints in my application for authorization vulnerabilities. For each endpoint check: does it verify the authenticated user has permission to access the specific resource requested (not just that they are logged in), does it prevent horizontal privilege escalation (User A accessing User B's data by changing an ID), does it prevent vertical privilege escalation (regular user accessing admin endpoints), and are all sensitive operations protected by authentication? List every endpoint with its current authorization status and the fix needed.

Audit my API responses for data leakage. For each endpoint, compare what data the frontend actually needs versus what the API returns. Flag any endpoint that returns: password hashes, internal database IDs that could enable enumeration, email addresses or personal information not required by the UI, API keys or tokens in response bodies, or full database records when only specific fields are needed. Provide the minimal response object for each endpoint.

Review my API rate limiting and abuse prevention. Check that: all public endpoints have rate limiting configured, authentication endpoints have stricter limits (max 5 attempts per minute), rate limiting is applied server-side (not client-side), failed authentication attempts are logged with IP and timestamp, and there are no endpoints that accept unbounded input sizes or file uploads without limits. Show me how to implement rate limiting for my specific framework if it is missing.

Audit all database queries in my application for SQL injection vulnerabilities. Find every query that uses string concatenation or template literals to include user input. Replace each one with parameterized queries or prepared statements. Also check for: NoSQL injection in MongoDB queries, ORM misuse that bypasses parameterization, and any raw query functions that accept user-controlled input. Show the vulnerable code and the fixed version side by side.

Review my database configuration and access patterns for security issues. Check for: default credentials still in use, database accessible from the public internet without IP restrictions, connections not using SSL/TLS, application connecting with root or admin privileges instead of a least-privilege user, missing connection pooling that could enable connection exhaustion, and any database backups stored without encryption. Provide the specific configuration changes needed for my database.

Check my database schema for sensitive data handling issues. Verify that: passwords are hashed (never stored in plaintext or reversible encryption), PII fields are identified and encrypted at rest where required by regulation, credit card numbers are never stored in full (use a payment processor), session tokens are not stored in plaintext, audit logs capture who accessed what data and when, and there is a data retention policy implemented for user deletion requests. List every sensitive field and its current protection status.

Review my deployment configuration for security issues. Check that: debug mode is disabled in production, error messages do not expose stack traces or internal paths, source maps are not deployed to production, environment variables are used for all secrets (none hardcoded), the deployment uses HTTPS with a valid certificate, HTTP Strict Transport Security (HSTS) is enabled, and the server returns security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options and Referrer-Policy. Show me the exact configuration needed for my hosting platform.

Audit my CORS (Cross-Origin Resource Sharing) configuration. Check that: Access-Control-Allow-Origin is not set to wildcard (*) in production, only trusted domains are in the allowed origins list, credentials are not allowed with wildcard origins, preflight caching is configured appropriately, and the CORS configuration cannot be bypassed by manipulating the Origin header. Show me the current CORS configuration and the secure version for my framework.

Review my CI/CD pipeline and deployment process for security vulnerabilities. Check that: secrets are not stored in code repositories or CI configuration files, build artifacts do not include development dependencies, Docker images use minimal base images and run as non-root users, deployment credentials use least-privilege access, and there are no publicly accessible deployment endpoints (like webhook URLs without authentication). Provide specific fixes for each issue found.

Perform a comprehensive security review of my entire application. Act as a senior penetration tester. Check for the OWASP Top 10 vulnerabilities: broken access control, cryptographic failures, injection, insecure design, security misconfiguration, vulnerable and outdated components, identification and authentication failures, software and data integrity failures, security logging and monitoring failures, and server-side request forgery. For each category, list specific findings in my code with severity ratings and remediation steps. Prioritize findings by risk level.

Search my entire codebase for hardcoded secrets, API keys and credentials. Look for: strings that match API key patterns (sk_, pk_, key_, token_, secret_), database connection strings with embedded passwords, AWS access keys (AKIA...), private keys or certificates stored in code, .env files committed to the repository, and any configuration files that contain credentials. For each finding, show the file, line number and a secure alternative using environment variables.

Review my application's security logging and monitoring. Check that: failed authentication attempts are logged with IP address and timestamp, authorization failures are logged, sensitive data is never written to logs (no passwords, tokens or PII), logs are stored in a location separate from the application, log injection attacks are prevented by sanitizing user input before logging, and there is a mechanism to alert on suspicious patterns like multiple failed logins from one IP. Provide the logging configuration needed for my framework.

Review this codebase for compliance with our organization's security standards. Check for: data classification labels on all database fields storing PII, encryption at rest for all sensitive data, audit trails for data access and modification, data retention policies implemented in code, consent management for data collection, and cross-border data transfer controls if applicable. Generate a compliance gap report organized by regulation (PIPEDA, GDPR, SOC 2) with specific code references and remediation priority.

Audit this codebase for intellectual property leakage risks when using AI coding tools. Check for: proprietary business logic exposed in AI tool prompts or logs, API endpoints that return proprietary algorithms or models, client code that contains trade secrets, configuration files that reveal infrastructure architecture, and any code comments that reference internal processes or systems. Recommend isolation strategies for sensitive code that should not be processed by AI tools.

Generate a security architecture review for this application. Document: all trust boundaries in the system, data flows between components with sensitivity classification, external service dependencies and their security posture, authentication and authorization mechanisms at each boundary, encryption in transit and at rest for each data flow, and single points of failure. Output as a structured report that can be reviewed by a security team or auditor. Flag any architectural decisions that introduce unnecessary risk.

Review all user input handling in my application. For every form field, API parameter and URL parameter, check that: input is validated on the server side (not just client side), input length is bounded to prevent buffer overflow and denial of service, special characters are properly escaped before database queries, HTML output and file paths, file uploads are restricted by type, size and content (not just extension), and there is no path traversal vulnerability in file operations. Show every input point and its current validation status.

Audit my application for Cross-Site Scripting (XSS) vulnerabilities. Check every location where user-supplied data is rendered in HTML. Verify that: output encoding is applied consistently (HTML entities for HTML context, JavaScript encoding for script context, URL encoding for URL context), React's dangerouslySetInnerHTML or equivalent is not used with user input, user-generated content displayed in emails or PDFs is sanitized, and Content-Security-Policy headers restrict inline scripts. Show each vulnerable output point and the fix.

Review my session management implementation for security vulnerabilities. Check that: session IDs are cryptographically random (minimum 128 bits of entropy), session cookies use Secure, HttpOnly and SameSite=Strict attributes, sessions expire after a reasonable period of inactivity (recommended 30 minutes for sensitive apps), session IDs are regenerated after authentication to prevent session fixation, concurrent session limits are enforced where appropriate, and logout actually invalidates the session server-side (not just deleting the client cookie). Show the current implementation and required fixes.

Audit my JWT (JSON Web Token) implementation if applicable. Check that: tokens have a reasonable expiration time (access tokens under 15 minutes, refresh tokens under 7 days), the signing algorithm is explicitly set (no "alg: none" vulnerability), the secret key is strong (minimum 256 bits) and stored securely, tokens are validated on every request (not just on login), refresh token rotation is implemented (old refresh tokens are invalidated when a new one is issued), and tokens contain only the minimum claims needed. Show security issues and fixes.

Audit all dependencies in my package.json (or requirements.txt or composer.json). For each dependency check: does this package actually exist on the official registry (npm, PyPI, Packagist), is the package name spelled correctly (check for typosquatting), does the package have a reasonable number of downloads and a maintained repository, are there any known vulnerabilities reported in the package (check npm audit, pip-audit or similar), is the version pinned to avoid unexpected updates, and are there any packages that could be replaced with built-in language features? Flag any suspicious or unnecessary dependencies.

Review my dependency lock file (package-lock.json, yarn.lock, poetry.lock, composer.lock) and verify that: a lock file exists and is committed to version control, all dependency versions are pinned to exact versions, there are no integrity hash mismatches, dev dependencies are not included in production builds, and the total dependency count is reasonable for the application's functionality. Also check if any dependencies request excessive permissions (file system access, network access, native code execution) relative to their stated purpose.

Review my application's error handling for information disclosure vulnerabilities. Check that: production error responses return generic messages (not stack traces, file paths or database schemas), API errors return consistent JSON format with appropriate HTTP status codes, unhandled exceptions are caught by a global error handler, error logging captures full details server-side without exposing them to the client, database error messages are not passed through to users, and custom error pages are configured for 404, 403 and 500 responses. Show every location where detailed errors could leak to users and provide the secure error handling pattern for my framework.