Security checklist (development)
Purpose: The developer-level security gate for every feature — the deep material lives in Security & Governance.
Who this page is for
| Audience | Why it matters to you |
|---|---|
| All engineers | Tick per feature; auditors will ask |
Input & output
- [ ] All HTL output uses appropriate contexts;
unsafeabsent or signed off (XSS & HTL contexts) - [ ] RTE/user-supplied HTML rendered via context='html' (sanitised) only
- [ ] Servlet/selector/suffix/query input validated; no path injection into resolver lookups
- [ ] POST endpoints CSRF-protected (framework token); no state changes on GET
AuthN/AuthZ
- [ ] New paths carry correct ACLs on author AND publish (anonymous read only where intended)
- [ ] Service users minimal, per purpose; no admin sessions (service users)
- [ ] No privilege decisions in JS/HTL only — server enforces
Data
- [ ] No PII in logs, analytics events, or cached URLs (PII handling)
- [ ] Secrets via the secrets mechanism; none in repo, code or dialog defaults
- [ ] Form submissions transported and stored per data classification
Delivery
- [ ] Dispatcher filters cover new endpoints (deny default holds); selectors pinned
- [ ] No new admin/console paths exposed; raw .json depths blocked (dispatcher security)
- [ ] Security headers intact on new responses (TLS & headers)
Dependencies
- [ ] New libraries scanned (OWASP dependency check / your SCA tool) and versions pinned
- [ ] Frontend deps audited; SRI on third-party scripts where applicable