Secure Coding

Comprehensive guidance for writing secure code, covering OWASP Top 10 2025, CWE Top 25, and language-specific security patterns.

When to Use This Skill

Use this skill when:

Reviewing code for security vulnerabilities
Implementing input validation or output encoding
Learning about common security weaknesses (OWASP, CWE)
Fixing identified security issues
Writing security-sensitive code (authentication, authorization, data handling)
Conducting security code reviews

OWASP Top 10 2025 Quick Reference

Rank	Vulnerability	Key Mitigation
A01	Broken Access Control	Server-side access checks, deny by default, CORS restrictions
A02	Security Misconfiguration	Hardened configs, remove defaults, disable unnecessary features
A03	Software Supply Chain Failures	SCA, SBOM, verify dependencies, integrity checks
A04	Cryptographic Failures	Strong encryption (AES-256), TLS 1.2+, no deprecated algorithms
A05	Injection	Parameterized queries, input validation, context-aware encoding
A06	Insecure Design	Threat modeling, secure design patterns, defense in depth
A07	Authentication Failures	MFA, strong passwords, secure session management
A08	Data Integrity Failures	Digital signatures, integrity verification, secure CI/CD
A09	Logging & Alerting Failures	Centralized logging, anomaly detection, audit trails
A10	Mishandling Exceptions	Fail securely, generic error messages, complete exception handling

For detailed mitigations: See OWASP Top 10 2025 Reference

Core Secure Coding Principles

1. Input Validation

Never trust user input. Validate all inputs on the server side.

using System.Text.RegularExpressions;

// Good: Server-side validation with allowlist
public static partial class InputValidation
{
    [GeneratedRegex(@"^[a-zA-Z0-9_]{3,20}$")]
    private static partial Regex UsernamePattern();

    /// <summary>
    /// Validate username against allowlist pattern.
    /// </summary>
    public static bool ValidateUsername(string username) =>
        !string.IsNullOrEmpty(username) && UsernamePattern().IsMatch(username);
}

// Bad: No validation
public string ProcessUsername(string username) => username;  // Dangerous!

Validation strategies:

Allowlist validation: Define what IS allowed (preferred)
Blocklist validation: Define what is NOT allowed (less secure)
Type checking: Ensure correct data types
Range checking: Verify values within expected bounds
Length limits: Prevent buffer overflows and DoS

2. Output Encoding

Encode output based on context to prevent injection attacks.

Context	Encoding Method	Example
HTML body	HTML entity encoding	`<script>`
HTML attributes	Attribute encoding	`'` for `'`
JavaScript	JavaScript encoding	`\x3Cscript\x3E`
URL parameters	URL encoding	`%3Cscript%3E`
CSS	CSS encoding	`\3C script\3E`
SQL	Parameterized queries	Use prepared statements

3. Parameterized Queries (Injection Prevention)

Always use parameterized queries for database operations.

// Good: Parameterized query with SqlCommand
using var cmd = new SqlCommand(
    "SELECT * FROM Users WHERE Username = @username AND Status = @status",
    connection);
cmd.Parameters.AddWithValue("@username", username);
cmd.Parameters.AddWithValue("@status", status);

// Good: Parameterized query with Dapper
var users = await connection.QueryAsync<User>(
    "SELECT * FROM Users WHERE Username = @Username AND Status = @Status",
    new { Username = username, Status = status });

// Bad: String interpolation (SQL Injection vulnerable)
var query = $"SELECT * FROM Users WHERE Username = '{username}'";  // VULNERABLE

4. Authentication Security

Use strong password hashing: Argon2id, bcrypt, scrypt (see cryptography skill)
Implement MFA: Time-based OTP, hardware keys, passkeys
Secure session management: HttpOnly cookies, secure flag, short expiration
Account lockout: Prevent brute force attacks
Credential storage: Never store plaintext passwords

5. Authorization Security

Deny by default: Require explicit permission grants
Server-side checks: Never rely on client-side authorization
Verify object ownership: Check user can access requested resource
Use indirect references: Map internal IDs to user-specific references
Implement RBAC/ABAC: Use structured access control models

6. Error Handling

// Good: Generic error message to user, detailed logging
public async Task<IActionResult> ProcessData([FromBody] DataRequest request)
{
    try
    {
        await _dataService.ProcessSensitiveDataAsync(request.Data);
        return Ok();
    }
    catch (DbException ex)
    {
        _logger.LogError(ex, "Database error processing request for user {UserId}", User.GetUserId());
        return StatusCode(500, new { error = "An error occurred" });
    }
}

// Bad: Exposing internal details
catch (DbException ex)
{
    return StatusCode(500, new { error = ex.Message });  // VULNERABLE - exposes internals
}

Error handling rules:

Return generic error messages to users
Log detailed errors server-side
Never expose stack traces, database errors, or internal paths
Fail securely (deny access on error)

Language-Specific Patterns

JavaScript/TypeScript

// XSS Prevention - use textContent, not innerHTML
element.textContent = userInput;  // Safe
element.innerHTML = userInput;    // VULNERABLE

// Use DOMPurify for HTML that must be rendered
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

// Avoid eval() and Function()
eval(userInput);           // VULNERABLE
new Function(userInput)(); // VULNERABLE

// Use strict mode
'use strict';

C# / .NET

// Safe process execution - use argument list, avoid shell
using System.Diagnostics;

public static async Task<string> SafeExecuteAsync(string command, params string[] args)
{
    using var process = new Process
    {
        StartInfo = new ProcessStartInfo
        {
            FileName = command,
            RedirectStandardOutput = true,
            RedirectStandardError = true,
            UseShellExecute = false,  // Safe: no shell interpretation
            CreateNoWindow = true
        }
    };

    foreach (var arg in args)
        process.StartInfo.ArgumentList.Add(arg);  // Safe: no shell escaping needed

    process.Start();
    var output = await process.StandardOutput.ReadToEndAsync();
    await process.WaitForExitAsync();
    return output;
}

// Bad: Shell injection vulnerable
Process.Start("cmd", $"/c dir {userInput}");  // VULNERABLE

// Safe file operations - prevent path traversal
public static class SafeFileAccess
{
    /// <summary>
    /// Safely read a file, preventing path traversal attacks.
    /// </summary>
    public static string SafeReadFile(string baseDir, string filename)
    {
        var basePath = Path.GetFullPath(baseDir);
        var filePath = Path.GetFullPath(Path.Combine(baseDir, filename));

        if (!filePath.StartsWith(basePath, StringComparison.OrdinalIgnoreCase))
            throw new UnauthorizedAccessException("Path traversal detected");

        return File.ReadAllText(filePath);
    }
}

// Use parameterized queries with Entity Framework
var users = context.Users
    .Where(u => u.Username == username)  // Safe - parameterized
    .ToList();

// Avoid raw SQL when possible, use parameters if needed
var users = context.Users
    .FromSqlRaw("SELECT * FROM Users WHERE Username = {0}", username)
    .ToList();

// Anti-forgery tokens for CSRF protection
[ValidateAntiForgeryToken]
public IActionResult UpdateProfile(ProfileModel model)
{
    // Process update
}

// Input validation with data annotations
public sealed class UserInput
{
    [Required]
    [StringLength(100, MinimumLength = 3)]
    [RegularExpression(@"^[a-zA-Z0-9_]+$")]
    public required string Username { get; init; }
}

Security Code Review Checklist

Input Handling

All inputs validated on server side
Allowlist validation used where possible
Length limits enforced
Type checking performed
File uploads validated (type, size, content)

Output Encoding

Context-appropriate encoding applied
No raw user input in HTML/JS/SQL
Content-Type headers set correctly
X-Content-Type-Options: nosniff

Authentication

Strong password hashing (Argon2id/bcrypt)
Session tokens are random and unpredictable
Session invalidation on logout
Account lockout after failed attempts
Credentials transmitted over HTTPS only

Authorization

Access control on every request
Deny by default policy
Object-level authorization checks
No direct object references exposed

Data Protection

Sensitive data encrypted at rest
TLS 1.2+ for data in transit
No sensitive data in URLs or logs
Proper key management

Error Handling

Generic error messages to users
Detailed errors logged securely
No stack traces exposed
Fail securely (deny on error)

Quick Decision Tree

What security concern are you addressing?

SQL/NoSQL injection → Use parameterized queries, ORMs
XSS (Cross-Site Scripting) → Context-aware output encoding, CSP
CSRF → Anti-forgery tokens, SameSite cookies
Authentication → See authentication-patterns skill
Authorization → See authorization-models skill
Cryptography → See cryptography skill
Secrets/Credentials → See secrets-management skill
API Security → See api-security skill

References

OWASP Top 10 2025 Detailed Reference - Complete mitigations and examples
CWE Top 25 Reference - Most dangerous software weaknesses
Language-Specific Patterns - Per-language security guides

Related Skills

Skill	Relationship
`authentication-patterns`	Auth implementation details (JWT, OAuth, Passkeys)
`authorization-models`	Access control (RBAC, ABAC)
`cryptography`	Encryption, hashing, TLS
`api-security`	API-specific security patterns
`secrets-management`	Credential and secret handling

Version History

v1.0.0 (2025-12-26): Initial release with OWASP Top 10 2025, core principles

Last Updated: 2025-12-26

secure-coding