Owasp

# OWASP Security

## Description

OWASP Top 10 security practices and secure coding patterns.

## When to Use

- Security code reviews
- Implementing authentication
- Handling user input

---

## Core Patterns

### Input Validation

```python
# Always validate and sanitize
from pydantic import BaseModel, EmailStr

class UserInput(BaseModel):
    email: EmailStr
    name: str = Field(min_length=1, max_length=100)
```

### SQL Injection Prevention

```python
# Never concatenate user input
# Bad
query = f"SELECT * FROM users WHERE id = {user_id}"

# Good - parameterized
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
```

### XSS Prevention

```typescript
// Never use innerHTML with user data
// Bad
element.innerHTML = userInput;

// Good
element.textContent = userInput;
```

### Authentication

```python
# Hash passwords properly
from passlib.hash import argon2

hashed = argon2.hash(password)
verified = argon2.verify(password, hashed)
```

## Security Checklist

- [ ] Input validation on all user data
- [ ] Parameterized queries
- [ ] Output encoding
- [ ] Strong password hashing
- [ ] Secure session management
- [ ] HTTPS everywhere
- [ ] Security headers configured

## Common Pitfalls

- **Trusting user input**: Always validate
- **SQL concatenation**: Use parameters
- **Storing plain passwords**: Use argon2/bcrypt