Table of Contents

    Secure Coding Checklist

    Programming Mastery

    Secure Coding Checklist

    Use this practical checklist to review code for security before testing, review, deployment, or project submission.

    Introduction

    A secure coding checklist is a practical list of security checks that developers can use while writing, reviewing, testing, and improving code.

    It helps developers remember important secure programming practices such as input validation, output encoding, authentication, authorization, password handling, safe error handling, secure logging, dependency management, and database protection.

    A secure coding checklist helps developers catch security mistakes before the application reaches real users.

    Beginners often focus only on whether the code works. Professional developers also ask whether the code is safe, reliable, controlled, and protected against misuse.

    Easy Real-Life Example

    Secure Coding Checklist as a Pre-Flight Checklist

    Before an airplane takes off, pilots follow a checklist. Even expert pilots use it because missing one small safety step can create a serious problem.

    Pre-Flight Checklist:
    - Check fuel
    - Check instruments
    - Check doors
    - Check communication
    - Check weather
    
    Secure Coding Checklist:
    - Validate input
    - Encode output
    - Check authentication
    - Check authorization
    - Protect passwords
    - Handle errors safely

    A checklist reduces mistakes and creates a habit of safety.

    What is a Secure Coding Checklist?

    A secure coding checklist is a structured set of questions and checkpoints used to verify whether code follows secure programming practices.

    It can be used during:

    When to Use This Checklist

    • While writing code.
    • Before submitting an assignment.
    • Before creating a pull request.
    • During code review.
    • Before deployment.
    • During security testing.
    • During project maintenance.
    Key Idea: Secure coding is not a one-time activity. It should be checked throughout development.

    Why Secure Coding Checklist is Important

    Security mistakes are often repeated because developers forget small but important controls. A checklist provides a repeatable way to verify security.

    Benefits

    • Helps prevent common vulnerabilities.
    • Improves code review quality.
    • Encourages defensive programming.
    • Reduces security mistakes before deployment.
    • Improves application reliability.
    • Protects user data and business data.
    • Helps students build professional coding habits.
    • Makes security easier to remember and practice.

    Secure Coding Checklist Overview

    The checklist can be divided into multiple security areas.

    Checklist Area Main Focus
    Input Validation Check data before accepting or processing it.
    Output Encoding Display untrusted data safely.
    Authentication Verify user identity securely.
    Authorization Check what users are allowed to do.
    Password Handling Protect passwords during storage, login, and reset.
    Session and Token Security Protect login state and access tokens.
    Database Security Prevent SQL injection and protect database access.
    Error Handling and Logging Handle failures safely and log without exposing secrets.
    File Upload Security Validate and store uploaded files safely.
    Dependency and Configuration Security Use secure libraries, settings, and deployment controls.

    1. Input Validation Checklist

    Input validation ensures that external data is correct, expected, and safe before the application uses it.

    Check Question Done?
    Required Fields Are required inputs checked for empty values? Yes / No
    Data Type Are numbers, dates, emails, and text checked for correct type? Yes / No
    Range Are numeric values checked against minimum and maximum limits? Yes / No
    Length Are text fields checked for minimum and maximum length? Yes / No
    Format Are emails, phone numbers, roll numbers, and dates checked for expected format? Yes / No
    Allowlist Are fixed options checked using an allowlist? Yes / No
    Server-Side Validation Is validation done on trusted backend logic, not only in the browser? Yes / No

    Example

    INPUT marks
    
    IF marks is not a number THEN
        DISPLAY "Invalid marks"
        STOP
    END IF
    
    IF marks < 0 OR marks > 100 THEN
        DISPLAY "Marks must be between 0 and 100"
        STOP
    END IF

    2. Output Encoding Checklist

    Output encoding protects users when untrusted data is displayed in a web page or sent to another output context.

    Check Question Done?
    HTML Output Is user-provided text HTML encoded before display? Yes / No
    Attribute Output Is data inside HTML attributes encoded properly? Yes / No
    URL Output Are values placed into URLs URL encoded? Yes / No
    JavaScript Context Is untrusted data avoided or safely handled inside JavaScript? Yes / No
    Raw HTML Is unsafe raw HTML rendering avoided for user content? Yes / No
    Sanitization If limited HTML is allowed, is a trusted sanitizer used? Yes / No

    Example

    INPUT userComment
    
    safeComment = HTML_ENCODE(userComment)
    
    DISPLAY safeComment inside web page

    3. Authentication Checklist

    Authentication verifies who the user is.

    Check Question Done?
    Protected Pages Are protected pages available only after login? Yes / No
    Login Validation Are login inputs validated before processing? Yes / No
    Generic Error Does login use a generic error message like “Invalid username or password”? Yes / No
    Failed Attempts Are repeated failed login attempts monitored or controlled? Yes / No
    MFA Is Multi-Factor Authentication considered for sensitive accounts? Yes / No
    Logout Does logout properly end the user session? Yes / No

    4. Authorization Checklist

    Authorization checks what an authenticated user is allowed to do.

    Check Question Done?
    Role Check Are role-based permissions checked before protected actions? Yes / No
    Backend Enforcement Are authorization checks enforced on the backend? Yes / No
    Least Privilege Are users given only the permissions they need? Yes / No
    Ownership Check Can users access only their own records unless allowed by role? Yes / No
    Admin Actions Are admin-only actions protected properly? Yes / No
    Denied Access Are denied access scenarios tested? Yes / No

    Example

    FUNCTION deleteStudent(currentUser, studentId)
        IF currentUser.role is not "Admin" THEN
            RETURN "Access denied"
        END IF
    
        DELETE student record
    
        RETURN "Student deleted"
    END FUNCTION

    5. Password Handling Checklist

    Passwords must be handled carefully during registration, login, update, reset, and storage.

    Check Question Done?
    No Plain Text Are passwords never stored as plain text? Yes / No
    Secure Hashing Are passwords stored using trusted password hashing? Yes / No
    Salt Is a unique salt used where applicable? Yes / No
    No Password Logs Are passwords excluded from logs? Yes / No
    Password Reset Do reset links or codes expire and avoid sending old passwords? Yes / No
    No Hardcoding Are passwords and secrets kept out of source code? Yes / No

    6. Session and Token Security Checklist

    Sessions and tokens represent authenticated access and must be protected.

    Check Question Done?
    Token Protection Are tokens stored and transmitted securely? Yes / No
    Expiration Do sessions or tokens expire appropriately? Yes / No
    Logout Are sessions invalidated after logout? Yes / No
    Secure Cookies Are secure cookie settings used where applicable? Yes / No
    Re-Authentication Are users asked to re-authenticate for highly sensitive actions? Yes / No

    7. Database Security Checklist

    Database-related code should be checked carefully because databases often contain sensitive application data.

    Check Question Done?
    Parameterized Queries Are SQL queries using parameterized queries or prepared statements? Yes / No
    No Raw Concatenation Is raw user input avoided in SQL string concatenation? Yes / No
    Input Validation Are IDs, filters, search values, and sort fields validated? Yes / No
    Allowlist Sorting Are sort columns and fixed query options allowlisted? Yes / No
    Least Privilege Does the database account have only required permissions? Yes / No
    Error Safety Are database error details hidden from users? Yes / No

    Example

    INPUT studentId
    
    IF studentId is not a number OR studentId <= 0 THEN
        DISPLAY "Invalid student ID"
        STOP
    END IF
    
    query = "SELECT * FROM students WHERE student_id = ?"
    
    result = EXECUTE_PARAMETERIZED_QUERY(query, studentId)
    
    DISPLAY result

    8. Error Handling Checklist

    Errors should be handled safely without exposing internal system details.

    Check Question Done?
    Safe User Messages Are users shown generic and safe error messages? Yes / No
    No Stack Trace Are stack traces hidden from users? Yes / No
    No System Paths Are internal file paths, database names, and server details hidden? Yes / No
    Controlled Failure Does the application fail safely when something goes wrong? Yes / No
    Internal Logging Are technical details logged securely for developers? Yes / No

    Unsafe Error

    Database connection failed at /internal/config/db_line_42

    Safer Error

    Something went wrong while processing your request.
    Please try again later.

    9. Logging Checklist

    Logs should help debugging and monitoring without exposing sensitive data.

    Do Not Log

    • Passwords.
    • Secret keys.
    • Full tokens.
    • Payment details.
    • Private personal data.
    • Sensitive session values.

    Safer Logging

    • Log event type.
    • Log safe error reference ID.
    • Log access denied events.
    • Log failed login attempts safely.
    • Mask sensitive values.
    • Restrict log access.

    10. Secrets Management Checklist

    Secrets include passwords, API keys, private keys, tokens, and database credentials.

    Check Question Done?
    No Hardcoded Secrets Are secrets kept out of source code? Yes / No
    Secure Storage Are secrets stored in environment variables or secret managers? Yes / No
    No Repository Exposure Are secrets excluded from repositories and shared files? Yes / No
    Secret Rotation Can secrets be changed or rotated when needed? Yes / No
    Access Control Can only authorized people or services access secrets? Yes / No

    Bad Practice

    apiKey = "my-secret-api-key"
    databasePassword = "AdminPassword123"

    Better Practice

    apiKey = GET_SECRET("PAYMENT_API_KEY")
    databasePassword = GET_SECRET("DATABASE_PASSWORD")

    11. File Upload Checklist

    File uploads can be risky if files are not checked properly.

    Check Question Done?
    Allowed Types Are only required file types allowed? Yes / No
    File Size Is maximum file size checked? Yes / No
    File Name Is the original file name treated as untrusted? Yes / No
    Safe Storage Are uploaded files stored in a controlled location? Yes / No
    No Execution Are uploaded files prevented from executing as code? Yes / No
    Scanning Are uploaded files scanned where required? Yes / No

    12. Dependency Checklist

    Applications often depend on libraries, frameworks, packages, and plugins. These must be managed securely.

    Check Question Done?
    Trusted Source Are dependencies from trusted sources? Yes / No
    Updated Packages Are dependencies kept updated? Yes / No
    Unused Packages Are unused dependencies removed? Yes / No
    Security Scan Are dependency vulnerabilities checked with tools where available? Yes / No
    License Awareness Are third-party components reviewed for allowed usage? Yes / No

    13. Secure Configuration Checklist

    Configuration mistakes can create security risks even when the code is good.

    Check Question Done?
    Debug Mode Is debug mode disabled in production? Yes / No
    Default Accounts Are default accounts and default passwords removed or changed? Yes / No
    HTTPS Is sensitive communication protected using HTTPS? Yes / No
    Security Headers Are relevant security headers considered for web applications? Yes / No
    Private Repositories Are code repositories private where required? Yes / No
    Patch Updates Are systems and frameworks updated with security patches? Yes / No

    14. Code Review Checklist

    Security should be part of code review, not only functional testing.

    Security Review Questions

    • Does this code validate all external input?
    • Does this code encode output safely?
    • Does this code use parameterized queries?
    • Does this code avoid hardcoded secrets?
    • Does this code protect authentication logic?
    • Does this code enforce authorization on the backend?
    • Does this code avoid logging sensitive data?
    • Does this code handle errors safely?
    • Does this code use trusted libraries?
    • Does this code include useful test cases?

    15. Security Testing Checklist

    Secure coding should be supported by testing.

    Test Area What to Test
    Input Validation Normal, invalid, empty, boundary, and unexpected values.
    Authorization Allowed and denied access scenarios.
    Authentication Valid login, invalid login, empty credentials, repeated failures.
    Password Handling Password reset, password update, and storage behavior.
    SQL Injection Prevention Database features using parameterized query approach.
    XSS Prevention Output paths where user input is displayed.
    Error Handling Whether technical details are hidden from users.

    Student-Friendly Example: Secure Student Portal Checklist

    Suppose students are building a Student Portal project. They can use the following security checklist.

    Feature Secure Coding Check
    Student Login Use safe password handling and generic login error messages.
    Marks Entry Validate marks between 0 and 100.
    Report View Students can view only their own reports unless authorized.
    Comment Box Encode comments before displaying them.
    Search Student Use parameterized queries and validate student ID.
    File Upload Validate file type, size, and storage location.
    Error Page Show safe error messages without internal details.

    Real-World Example: E-Commerce Secure Coding Checklist

    Feature Secure Coding Check
    Product Search Validate input and use parameterized database queries.
    Product Review Encode output before displaying user reviews.
    Checkout Validate quantity, price, coupon, and payment state.
    Order History Check order ownership before showing order details.
    Admin Panel Require authentication, authorization, and least privilege.
    Payment Token Never log or expose sensitive payment-related values.
    API Calls Use HTTPS, authentication, authorization, and safe error handling.

    Final Secure Coding Submission Checklist

    Students can copy this final checklist before submitting a project.

    Final Review

    • All user inputs are validated.
    • All untrusted output is encoded before display.
    • Passwords are not stored as plain text.
    • Secrets are not hardcoded in source code.
    • Authentication is required for protected features.
    • Authorization is checked before sensitive actions.
    • SQL queries use parameterized query style.
    • Sessions and tokens are protected.
    • Error messages shown to users are safe.
    • Logs do not contain sensitive information.
    • File uploads are validated.
    • Dependencies are trusted and updated.
    • Debug mode is disabled in production.
    • Security-related test cases are included.
    • Code has been reviewed for common security mistakes.

    Common Beginner Mistakes

    Mistakes

    • Using a checklist only after the project is complete.
    • Validating only on the frontend.
    • Assuming login means full access.
    • Storing passwords directly.
    • Displaying user input directly.
    • Building SQL queries using raw input.
    • Showing technical errors to users.
    • Logging passwords, tokens, or secret keys.
    • Ignoring dependency updates.
    • Skipping security review because the code works.

    Better Habits

    • Use checklist during design, coding, testing, and review.
    • Validate on backend logic.
    • Check authorization for every protected action.
    • Use secure password hashing.
    • Encode output based on context.
    • Use parameterized queries.
    • Use safe error messages.
    • Mask or avoid sensitive log values.
    • Keep dependencies updated.
    • Make security part of code review.

    Best Practices for Using a Secure Coding Checklist

    Recommended Practices

    • Use the checklist before writing code to plan secure design.
    • Use the checklist while coding to avoid common mistakes.
    • Use the checklist during code review.
    • Use the checklist before deployment.
    • Adapt the checklist to the project type.
    • Keep the checklist simple enough for students to use regularly.
    • Include both functional tests and security tests.
    • Review authentication, authorization, input, output, and database logic carefully.
    • Do not treat the checklist as a replacement for learning security concepts.
    • Update the checklist as students learn new security topics.

    Prerequisites Before Using This Checklist

    Students should understand the following topics before using this checklist deeply:

    Required Knowledge

    • Basic programming syntax.
    • Variables and data types.
    • Functions or methods.
    • Input validation.
    • Output encoding.
    • Authentication basics.
    • Authorization basics.
    • Password handling basics.
    • SQL Injection concept.
    • Cross-site Scripting concept.
    • Testing and code review basics.

    Practice Activity: Review the Code Using Checklist

    Use the secure coding checklist to review the following pseudocode.

    databasePassword = "Admin123"
    
    FUNCTION searchStudent(studentId)
        query = "SELECT * FROM students WHERE student_id = " + studentId
        result = RUN query
        DISPLAY result
    END FUNCTION
    
    FUNCTION showComment(comment)
        DISPLAY comment inside web page
    END FUNCTION
    
    FUNCTION deleteStudent(studentId)
        DELETE student record
        RETURN "Deleted"
    END FUNCTION

    Expected Security Issues

    Issues:
    1. Database password is hardcoded.
    2. studentId is not validated.
    3. SQL query uses raw input concatenation.
    4. Comment is displayed without output encoding.
    5. deleteStudent has no authentication or authorization check.
    6. Error handling and logging are not shown.
    7. Least privilege is not considered.

    Improved Concept

    databasePassword = GET_SECRET("DATABASE_PASSWORD")
    
    FUNCTION searchStudent(studentId)
        IF studentId is not a number OR studentId <= 0 THEN
            RETURN "Invalid student ID"
        END IF
    
        query = "SELECT * FROM students WHERE student_id = ?"
        result = EXECUTE_PARAMETERIZED_QUERY(query, studentId)
    
        RETURN result
    END FUNCTION
    
    FUNCTION showComment(comment)
        IF comment is empty THEN
            RETURN "Invalid comment"
        END IF
    
        safeComment = HTML_ENCODE(comment)
    
        DISPLAY safeComment inside web page
    END FUNCTION
    
    FUNCTION deleteStudent(currentUser, studentId)
        IF currentUser.role is not "Admin" THEN
            RETURN "Access denied"
        END IF
    
        DELETE student record
    
        RETURN "Deleted"
    END FUNCTION

    Practice Test Cases

    Test Case Scenario Expected Result
    TC_001 Valid student ID search Record searched safely using parameterized query.
    TC_002 Invalid student ID Invalid student ID.
    TC_003 Comment contains HTML-like characters Displayed as text after encoding.
    TC_004 Student tries to delete a record Access denied.
    TC_005 Admin deletes a record Deleted.

    Mini Quiz

    1

    What is a secure coding checklist?

    A secure coding checklist is a structured list of security checks used to review whether code follows secure programming practices.

    2

    Why is input validation important?

    Input validation helps reject unexpected or unsafe data before it is processed by the application.

    3

    Why is output encoding important?

    Output encoding helps display untrusted data as text instead of executable browser content.

    4

    What should be checked before a protected action?

    The application should check authentication and authorization before allowing protected actions.

    5

    Why should secrets not be hardcoded?

    Hardcoded secrets can be exposed through source code, repositories, logs, or accidental sharing.

    Interview Questions on Secure Coding Checklist

    1

    What are the major areas of a secure coding checklist?

    Major areas include input validation, output encoding, authentication, authorization, password handling, session management, database security, error handling, logging, file upload security, dependency management, and secure configuration.

    2

    How does a checklist help during code review?

    A checklist gives reviewers a structured way to check common security risks instead of relying only on memory.

    3

    Why should authorization be checked on the backend?

    Frontend controls can be bypassed, so protected actions must be checked on trusted backend logic.

    4

    What is the checklist item for SQL Injection prevention?

    Use parameterized queries or prepared statements and avoid raw string concatenation with user input.

    5

    What is the checklist item for XSS prevention?

    Encode untrusted output based on context and avoid unsafe raw HTML rendering.

    Quick Summary

    Checklist Area Main Reminder
    Input Validation Check type, length, range, format, and allowed values.
    Output Encoding Encode untrusted data before displaying it.
    Authentication Verify user identity securely.
    Authorization Check permissions before protected actions.
    Password Handling Never store plain-text passwords.
    Database Security Use parameterized queries.
    Logging Do not log sensitive data.
    Secrets Never hardcode credentials or API keys.
    Dependencies Use trusted and updated packages.
    Configuration Disable unsafe defaults and production debug details.

    Final Takeaway

    A secure coding checklist helps developers build safer applications by turning security concepts into practical review questions. Students should use the checklist during design, coding, testing, and code review. The most important habits are validating input, encoding output, protecting authentication, enforcing authorization, handling passwords safely, using parameterized queries, avoiding hardcoded secrets, hiding internal errors, avoiding sensitive logs, validating file uploads, updating dependencies, and reviewing code for security mistakes. Secure coding becomes easier when students treat security as a regular development habit, not an extra task at the end.