⚡ OPENDEV HUB V1.0⚡ API STATUS: 100% OPERATIONAL⚡ CLIENT ENGINE: LOADED & CACHED⚡ TRENDING TECH: TAILWIND V4, NEXT.JS 16, RUST, GO⚡ ZERO AUTH REQUIRED
OPENDEVHUB

Command Palette

Search for a command to run...

SECURITY REFERENCE

SECURITY, HEADERS & ENCRYPTION CHEATSHEET

An offline search dashboard outlining OWASP security remediations, secure HTTP response header syntaxes, cryptographic APIs, and secure application practices.

OWASP Top 10 Safeguards5 ENTRIES

SQL Injection PreventionOWASP Top 10 Safeguards

Ensure raw input is never concatenated into SQL strings. Use parameterized queries/prepared statements.

SYNTAX / DIRECTIVES:
db.query('SELECT * FROM users WHERE id = ?', [userId])
SECURE CODE IMPLEMENTATION:
// Safe:
const query = 'SELECT * FROM users WHERE id = ?';
await connection.execute(query, [req.query.id]);
COMMON SECURITY PITFALL:

Using template literals: `SELECT * FROM users WHERE id = ${req.query.id}`, which exposes database schemas directly to injection payloads.

XSS (Cross-Site Scripting) DefenseOWASP Top 10 Safeguards

Escape all untrusted data before rendering it in the HTML DOM, or use libraries that do it automatically.

SYNTAX / DIRECTIVES:
text.replace(/&/g, '&amp;').replace(/</g, '&lt;')
SECURE CODE IMPLEMENTATION:
const cleanInput = DOMPurify.sanitize(userInput);
document.getElementById('output').innerHTML = cleanInput;
COMMON SECURITY PITFALL:

Using dangerouslySetInnerHTML or innerHTML directly on raw inputs from search query parameters or user profiles.

IDOR / BOLA PreventionOWASP Top 10 Safeguards

Insecure Direct Object Reference / Broken Object Level Authorization. Never trust user-provided IDs without verifying ownership.

SYNTAX / DIRECTIVES:
if (resource.ownerId !== currentUser.id) throw new UnauthorizedError();
SECURE CODE IMPLEMENTATION:
// Safe:
const document = await Document.findById(req.params.id);
if (!document || document.ownerId !== req.user.id) {
  return res.status(403).send('Access denied');
}
COMMON SECURITY PITFALL:

Relying on client-side route guards or URL obfuscation to protect access to private files or sensitive data records.

SSRF (Server-Side Request Forgery) DefenseOWASP Top 10 Safeguards

Sanitize and validate user-supplied URLs against an allowlist before making requests from the backend server.

SYNTAX / DIRECTIVES:
if (!allowedDomains.includes(parsedUrl.hostname)) throw new Error('Untrusted domain');
SECURE CODE IMPLEMENTATION:
// Safe:
const targetUrl = new URL(req.body.url);
const allowedHosts = ['api.partner.com', 'images.partner.com'];
if (!allowedHosts.includes(targetUrl.hostname)) {
  throw new Error('Forbidden Destination');
}
await axios.get(targetUrl.href);
COMMON SECURITY PITFALL:

Making raw HTTP fetch calls to user-submitted URLs directly, enabling attackers to probe internal loopback services like localhost/metadata.

JWT Signature ValidationOWASP Top 10 Safeguards

Ensure JWT tokens are verified using robust cryptography keys and expiration checks on the server.

SYNTAX / DIRECTIVES:
jwt.verify(token, secretKey, { algorithms: ['HS256'] })
SECURE CODE IMPLEMENTATION:
// Safe:
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
  algorithms: ['HS256'],
  issuer: 'my-app-auth'
});
COMMON SECURITY PITFALL:

Using jwt.decode() instead of jwt.verify(), which extracts header payload fields without checking if the token signature is valid.

HTTP Security Headers5 ENTRIES

Content Security Policy (CSP)HTTP Security Headers

Restricts resources (such as JavaScript, CSS, Images) that the browser is allowed to load for a given page.

SYNTAX / DIRECTIVES:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trustedscripts.com
SECURE CODE IMPLEMENTATION:
res.setHeader(
  'Content-Security-Policy',
  "default-src 'self'; img-src 'self' data:; script-src 'self'"
);
COMMON SECURITY PITFALL:

Using 'unsafe-inline' or '*' in CSP directives, which completely defeats the anti-XSS features of CSP.

HSTS (Strict-Transport-Security)HTTP Security Headers

Forces browser connections to happen securely over HTTPS instead of HTTP.

SYNTAX / DIRECTIVES:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
SECURE CODE IMPLEMENTATION:
res.setHeader(
  'Strict-Transport-Security',
  'max-age=63072000; includeSubDomains; preload'
);
COMMON SECURITY PITFALL:

Enabling HSTS with a short max-age duration or without testing subdomains, potentially locking out users from legacy HTTP APIs.

X-Frame-OptionsHTTP Security Headers

Prevents clickjacking attacks by dictating whether pages can be embedded within frame tags on external websites.

SYNTAX / DIRECTIVES:
X-Frame-Options: DENY | SAMEORIGIN
SECURE CODE IMPLEMENTATION:
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
COMMON SECURITY PITFALL:

Neglecting to declare X-Frame-Options (or using CSP frame-ancestors), enabling bad actors to overlay transparent clickable layers on your page.

X-Content-Type-OptionsHTTP Security Headers

Forces the browser to respect content-type headers, preventing MIME-type sniffing vulnerabilities.

SYNTAX / DIRECTIVES:
X-Content-Type-Options: nosniff
SECURE CODE IMPLEMENTATION:
res.setHeader('X-Content-Type-Options', 'nosniff');
COMMON SECURITY PITFALL:

Forgetting to set 'nosniff', which allows browsers to execute uploaded user text/HTML assets as scripts.

Referrer-PolicyHTTP Security Headers

Controls how much reference metadata (such as paths or search queries) is sent when navigating to external websites.

SYNTAX / DIRECTIVES:
Referrer-Policy: no-referrer | same-origin | strict-origin-when-cross-origin
SECURE CODE IMPLEMENTATION:
res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
COMMON SECURITY PITFALL:

Using Referrer-Policy 'unsafe-url', which leaks sensitive query tokens (e.g. password-reset links) to external analytics scripts.

Hashing & Cryptography4 ENTRIES

Password Hashing (bcrypt)Hashing & Cryptography

Never store plain text passwords. Use standard slow hashing functions like bcrypt or Argon2 with high cost factors.

SYNTAX / DIRECTIVES:
bcrypt.hash(password, saltRounds)
SECURE CODE IMPLEMENTATION:
const hash = await bcrypt.hash(rawPassword, 12);
const matches = await bcrypt.compare(inputPassword, hash);
COMMON SECURITY PITFALL:

Using fast hashing algorithms like MD5, SHA-1, or SHA-256 for passwords, which are easily cracked via dictionary attacks or GPUs.

Symmetric Encryption (AES-GCM)Hashing & Cryptography

Use Advanced Encryption Standard (AES) with Galois/Counter Mode (GCM) for authenticated encryption/decryption of private text.

SYNTAX / DIRECTIVES:
crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, data)
SECURE CODE IMPLEMENTATION:
const iv = crypto.getRandomValues(new Uint8Array(12));
const cipher = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv },
  aesKey,
  textEncoder.encode(secretData)
);
COMMON SECURITY PITFALL:

Reusing Initialization Vectors (IVs) or using insecure encryption modes like AES-ECB, which leak patterns in encrypted data.

CSRF Mitigation (SameSite Cookies)Hashing & Cryptography

Use anti-CSRF tokens or enforce strict SameSite attributes on cookies to prevent cross-site request forgery attacks.

SYNTAX / DIRECTIVES:
Set-Cookie: session=xyz; SameSite=Lax; Secure; HttpOnly
SECURE CODE IMPLEMENTATION:
res.cookie('sessionId', token, {
  httpOnly: true,
  secure: true,
  sameSite: 'lax'
});
COMMON SECURITY PITFALL:

Leaving SameSite as 'None' without adding CSRF tokens, allowing cross-site clicks to make state-changing GET/POST requests silently.

Cryptographically Secure RandomsHashing & Cryptography

Always use cryptographically secure pseudorandom number generators (CSPRNG) for sensitive keys, IDs, or tokens.

SYNTAX / DIRECTIVES:
crypto.randomBytes(size) | crypto.getRandomValues(typedArray)
SECURE CODE IMPLEMENTATION:
// Node.js:
const token = crypto.randomBytes(32).toString('hex');
// Browser Web Crypto:
const array = new Uint32Array(10);
window.crypto.getRandomValues(array);
COMMON SECURITY PITFALL:

Using Math.random() to generate session IDs, passwords, or salts, which are mathematically predictable and easily reverse-engineered.

API Security & Rate Limiting2 ENTRIES

Rate LimitingAPI Security & Rate Limiting

Limit the number of requests a client can make in a given timeframe to prevent DoS attacks and brute-force logins.

SYNTAX / DIRECTIVES:
rateLimit({ windowMs: 15 * 60 * 1000, limit: 100 })
SECURE CODE IMPLEMENTATION:
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per window
  message: 'Too many requests from this IP'
});
app.use('/api/', limiter);
COMMON SECURITY PITFALL:

Rate-limiting using local server memory in stateless cluster environments, which allows clients to bypass limits by hit-testing different instances.

CORS Origin PolicyAPI Security & Rate Limiting

Restrict client-side cross-origin access to your APIs. Maintain a strict allowlist of origins instead of allowing any domain.

SYNTAX / DIRECTIVES:
Access-Control-Allow-Origin: https://trustedapp.com
SECURE CODE IMPLEMENTATION:
const corsOptions = {
  origin: ['https://opendevhub.com', 'https://admin.opendevhub.com'],
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  credentials: true
};
app.use(cors(corsOptions));
COMMON SECURITY PITFALL:

Setting 'Access-Control-Allow-Origin: *' combined with 'Access-Control-Allow-Credentials: true', which is an invalid and highly insecure CORS policy.