Security-Focused Prompts

SITUATION: [Describe the system, existing architecture, and security context]
CHALLENGE: Create [describe component] that prioritizes security while ensuring functionality
AUDIENCE: Development team with security requirements for [specific compliance/security standard]
FORMAT:
- Implement proper input validation for all external data
- Use parameterized queries for all database operations
- Apply the principle of least privilege throughout
- Include comprehensive error handling that doesn't leak sensitive information
- Add security-focused comments explaining protection mechanisms
FOUNDATIONS:
- Follow OWASP Top 10 mitigation strategies
- Implement proper authentication and authorization checks
- Validate all inputs with appropriate sanitization
- Use secure cryptographic practices where needed
- Handle sensitive data according to [relevant compliance standards]
- Include security-focused logging without exposing sensitive information

SITUATION: Building an authentication system for [describe application] using [specify technology stack]
CHALLENGE: Create a secure authentication system that protects against common authentication vulnerabilities
AUDIENCE: Security-conscious development team with compliance requirements
FORMAT:
- Implement industry standard authentication patterns
- Include comprehensive security controls
- Use clear, security-focused function naming
- Document security considerations and protections
- Implement proper separation of authentication concerns
FOUNDATIONS:
- Use secure password hashing with appropriate algorithms (bcrypt/Argon2/PBKDF2)
- Implement proper password policies and validation
- Include protection against brute force attacks (rate limiting, account lockout)
- Add multi-factor authentication support
- Implement secure session management
- Add CSRF protection for authentication forms
- Ensure secure credential storage and transmission
- Include protections against common authentication bypasses
SPECIFIC REQUIREMENTS:
- Never store passwords in plaintext or using weak hashing
- Implement secure password reset functionality
- Ensure authentication state cannot be manipulated
- Include comprehensive logging of authentication events
- Add secure remember-me functionality if required

SITUATION: Creating data access components for [describe application] using [specify database technology]
CHALLENGE: Implement secure data access that protects against injection attacks and unauthorized access
AUDIENCE: Developers who need to access data securely
FORMAT:
- Use repository pattern with security best practices
- Implement proper parameterization for all queries
- Include access control checks at the data layer
- Document security considerations for each operation
FOUNDATIONS:
- Use parameterized queries exclusively (no string concatenation)
- Implement proper input validation before database operations
- Add row-level security where appropriate
- Include proper error handling that doesn't leak information
- Implement least privilege database access
- Add proper connection security (TLS, authentication)
- Use secure credential management for database access
SPECIFIC REQUIREMENTS:
- Prevent SQL/NoSQL injection in all forms
- Implement proper transaction management
- Add data access audit logging
- Include protection against excessive data exposure

SITUATION: Developing a [public/internal] API for [describe purpose] using [specify technology]
CHALLENGE: Create a secure API that protects against common API vulnerabilities
AUDIENCE: Developers consuming the API and security reviewers
FORMAT:
- Follow RESTful/GraphQL security best practices
- Implement comprehensive authentication and authorization
- Include proper input validation and output encoding
- Document security features and requirements
FOUNDATIONS:
- Implement proper authentication (API keys, OAuth, JWT as appropriate)
- Add authorization checks for all endpoints
- Include rate limiting and throttling
- Implement proper CORS configuration
- Add security headers in responses
- Use HTTPS for all endpoints
- Implement proper input validation
- Include secure error handling
SPECIFIC REQUIREMENTS:
- Protect against OWASP API Top 10 vulnerabilities
- Implement proper token validation and handling
- Add protection against parameter tampering
- Include security-focused logging
- Implement API versioning securely

SITUATION: Building frontend components for [describe application] using [specify framework]
CHALLENGE: Create secure frontend implementations that protect against client-side vulnerabilities
AUDIENCE: Frontend developers with security responsibilities
FORMAT:
- Implement secure rendering practices
- Use proper output encoding for all dynamic content
- Include client-side validation (in addition to server-side)
- Document security considerations for component usage
FOUNDATIONS:
- Protect against Cross-Site Scripting (XSS)
- Implement proper CSRF protection for forms
- Use secure localStorage/sessionStorage practices
- Add proper Content Security Policy implementation
- Implement sensitive data handling on frontend
- Include secure authentication state management
SPECIFIC REQUIREMENTS:
- Sanitize all user-generated content before rendering
- Implement proper DOM manipulation methods
- Use secure cookie attributes (HttpOnly, Secure, SameSite)
- Add protection against clickjacking
- Include secure iframe usage if applicable

SITUATION: Implementing file upload functionality for [describe application]
CHALLENGE: Create a secure file upload system that prevents security vulnerabilities
AUDIENCE: Developers implementing file handling functionality
FORMAT:
- Create a comprehensive file upload security implementation
- Document all security controls and their purpose
- Implement proper separation of validation and processing
- Include clear error handling for security violations
FOUNDATIONS:
- Validate file type, size, and content thoroughly
- Implement proper file storage security
- Use secure file naming and path handling
- Add protection against path traversal attacks
- Implement virus/malware scanning if applicable
- Add proper access controls for uploaded files
- Include security-focused logging of upload events
SPECIFIC REQUIREMENTS:
- Never rely only on client-side validation
- Implement content type verification beyond file extension
- Store files outside the web root if possible
- Generate random file names for storage
- Implement proper file access authorization

SITUATION: Implementing payment processing for [describe application]
CHALLENGE: Create a secure payment system that protects sensitive financial information
AUDIENCE: Developers working with payment data under PCI DSS requirements
FORMAT:
- Implement secure payment processing patterns
- Document compliance considerations
- Include comprehensive security controls
- Add proper separation of payment concerns
FOUNDATIONS:
- Minimize storage of sensitive payment data
- Implement tokenization where possible
- Use proper encryption for any stored payment data
- Add comprehensive audit logging
- Implement strong authentication for payment actions
- Include fraud detection mechanisms
- Add proper error handling that doesn't leak information
SPECIFIC REQUIREMENTS:
- Ensure PCI DSS compliance considerations
- Implement proper card validation
- Add protection against common payment attacks
- Include transaction security mechanisms
- Implement secure refund processes

FOUNDATIONS:
- Use parameterized queries for all database operations
- Implement context-aware output encoding
- Validate all input data against strict schemas
- Use ORMs with secure configuration
- Implement proper character encoding
- Add protection against all injection types (SQL, NoSQL, OS Command, LDAP)

FOUNDATIONS:
- Implement multi-factor authentication
- Use secure session management
- Add protection against automated attacks
- Implement secure password policies
- Use secure password recovery mechanisms
- Include account lockout for failed attempts
- Add secure credential storage using strong hashing

FOUNDATIONS:
- Encrypt sensitive data at rest and in transit
- Implement proper key management
- Minimize storage of sensitive data
- Add proper access controls for sensitive information
- Include data classification and handling policies
- Use secure protocols for data transmission
- Implement proper caching controls

FOUNDATIONS:
- Disable XML external entity processing
- Implement secure XML parsers
- Use less complex data formats when possible (JSON)
- Add proper input validation for XML documents
- Include whitelisting of XML sources
- Implement XML schema validation

FOUNDATIONS:
- Implement server-side access control checks
- Use role-based access control consistently
- Add proper session management
- Implement principle of least privilege
- Include access control logging and monitoring
- Add deny-by-default authorization policy
- Implement proper authentication verification

Please consider these threat scenarios:
- Authenticated user attempting to access another user's data
- Unauthenticated attacker attempting to bypass authentication
- Injection of malicious code or commands
- Interception of sensitive data in transit
- Elevation of privilege attacks

Please include security testing considerations:
- Test cases for authentication bypass attempts
- Validation testing with malicious inputs
- Authorization bypass testing approaches
- Session management testing
- Encryption validation testing

Please include security documentation covering:
- Security controls implemented and their purpose
- Potential attack vectors considered and mitigated
- Secure configuration requirements
- Security assumptions and limitations
- Guidance for security testing

Please ensure compliance with:
- OWASP ASVS Level [1/2/3] requirements for [specific controls]
- GDPR requirements for user data handling
- PCI DSS requirements for payment information
- HIPAA requirements for health information
- [Other relevant standards]

function loginUser(username, password) {
  // Get user from database
  const query = `SELECT * FROM users WHERE username = '${username}' AND password = '${password}'`;
  const user = db.execute(query);
  
  if (user) {
    // Set session
    session.user = user;
    return true;
  }
  return false;
}

/**
 * Authenticates a user with appropriate security controls
 * 
 * Security features:
 * - Parameterized query to prevent SQL injection
 * - Password hashing with bcrypt
 * - Rate limiting for failed attempts
 * - Secure session handling
 * - Comprehensive error handling
 * 
 * @param {string} username The user's username
 * @param {string} password The user's password attempt
 * @returns {Object} Authentication result with user info or error
 */
async function loginUser(username, password) {
  try {
    // Input validation
    if (!username || !password || typeof username !== 'string' || typeof password !== 'string') {
      throw new Error('Invalid credentials format');
    }
    
    // Rate limiting check
    const attemptsKey = `login_attempts:${ipAddress}`;
    const attempts = await rateLimit.get(attemptsKey) || 0;
    
    if (attempts >= MAX_LOGIN_ATTEMPTS) {
      logger.security.warn('Login rate limit exceeded', {
        username, 
        ipAddress,
        attemptCount: attempts
      });
      throw new Error('Too many login attempts. Please try again later.');
    }
    
    // Get user with parameterized query
    const query = 'SELECT * FROM users WHERE username = ?';
    const user = await db.execute(query, [username]);
    
    if (!user) {
      // Increment failed attempts
      await rateLimit.increment(attemptsKey);
      
      // Use consistent timing to prevent timing attacks
      await securityUtils.consistentTiming();
      
      logger.security.info('Failed login attempt - user not found', { 
        username,
        ipAddress 
      });
      return { success: false, message: 'Invalid credentials' };
    }
    
    // Verify password with secure comparison
    const passwordValid = await bcrypt.compare(password, user.passwordHash);
    
    if (!passwordValid) {
      // Increment failed attempts
      await rateLimit.increment(attemptsKey);
      
      logger.security.info('Failed login attempt - invalid password', { 
        username,
        ipAddress 
      });
      return { success: false, message: 'Invalid credentials' };
    }
    
    // Check account status
    if (user.status !== 'active') {
      logger.security.info('Login attempt on inactive account', { 
        username,
        status: user.status,
        ipAddress 
      });
      return { success: false, message: 'Account is not active' };
    }
    
    // Reset failed attempts on successful login
    await rateLimit.reset(attemptsKey);
    
    // Create secure session with appropriate expiration
    const sessionToken = await securityUtils.generateSecureToken();
    await sessions.create({
      token: sessionToken,
      userId: user.id,
      expiresAt: Date.now() + SESSION_DURATION,
      ipAddress
    });
    
    // Log successful login
    logger.security.info('Successful login', { 
      username,
      userId: user.id,
      ipAddress 
    });
    
    // Return success without exposing sensitive user data
    return {
      success: true,
      user: {
        id: user.id,
        username: user.username,
        displayName: user.displayName,
        roles: user.roles
      },
      token: sessionToken
    };
  } catch (error) {
    logger.error('Login error', { 
      error: error.message,
      username
    });
    return { success: false, message: 'Authentication error occurred' };
  }
}