Secure Coding Checklist
Secure Coding Checklist
Use this practical checklist to review code for security before testing, review, deployment, or project submission.
Introduction
A secure coding checklist is a practical list of security checks that developers can use while writing, reviewing, testing, and improving code.
It helps developers remember important secure programming practices such as input validation, output encoding, authentication, authorization, password handling, safe error handling, secure logging, dependency management, and database protection.
Beginners often focus only on whether the code works. Professional developers also ask whether the code is safe, reliable, controlled, and protected against misuse.
Easy Real-Life Example
Secure Coding Checklist as a Pre-Flight Checklist
Before an airplane takes off, pilots follow a checklist. Even expert pilots use it because missing one small safety step can create a serious problem.
Pre-Flight Checklist:
- Check fuel
- Check instruments
- Check doors
- Check communication
- Check weather
Secure Coding Checklist:
- Validate input
- Encode output
- Check authentication
- Check authorization
- Protect passwords
- Handle errors safely
A checklist reduces mistakes and creates a habit of safety.
What is a Secure Coding Checklist?
A secure coding checklist is a structured set of questions and checkpoints used to verify whether code follows secure programming practices.
It can be used during:
When to Use This Checklist
- While writing code.
- Before submitting an assignment.
- Before creating a pull request.
- During code review.
- Before deployment.
- During security testing.
- During project maintenance.
Why Secure Coding Checklist is Important
Security mistakes are often repeated because developers forget small but important controls. A checklist provides a repeatable way to verify security.
Benefits
- Helps prevent common vulnerabilities.
- Improves code review quality.
- Encourages defensive programming.
- Reduces security mistakes before deployment.
- Improves application reliability.
- Protects user data and business data.
- Helps students build professional coding habits.
- Makes security easier to remember and practice.
Secure Coding Checklist Overview
The checklist can be divided into multiple security areas.
| Checklist Area | Main Focus |
|---|---|
| Input Validation | Check data before accepting or processing it. |
| Output Encoding | Display untrusted data safely. |
| Authentication | Verify user identity securely. |
| Authorization | Check what users are allowed to do. |
| Password Handling | Protect passwords during storage, login, and reset. |
| Session and Token Security | Protect login state and access tokens. |
| Database Security | Prevent SQL injection and protect database access. |
| Error Handling and Logging | Handle failures safely and log without exposing secrets. |
| File Upload Security | Validate and store uploaded files safely. |
| Dependency and Configuration Security | Use secure libraries, settings, and deployment controls. |
1. Input Validation Checklist
Input validation ensures that external data is correct, expected, and safe before the application uses it.
| Check | Question | Done? |
|---|---|---|
| Required Fields | Are required inputs checked for empty values? | Yes / No |
| Data Type | Are numbers, dates, emails, and text checked for correct type? | Yes / No |
| Range | Are numeric values checked against minimum and maximum limits? | Yes / No |
| Length | Are text fields checked for minimum and maximum length? | Yes / No |
| Format | Are emails, phone numbers, roll numbers, and dates checked for expected format? | Yes / No |
| Allowlist | Are fixed options checked using an allowlist? | Yes / No |
| Server-Side Validation | Is validation done on trusted backend logic, not only in the browser? | Yes / No |
Example
INPUT marks
IF marks is not a number THEN
DISPLAY "Invalid marks"
STOP
END IF
IF marks < 0 OR marks > 100 THEN
DISPLAY "Marks must be between 0 and 100"
STOP
END IF
2. Output Encoding Checklist
Output encoding protects users when untrusted data is displayed in a web page or sent to another output context.
| Check | Question | Done? |
|---|---|---|
| HTML Output | Is user-provided text HTML encoded before display? | Yes / No |
| Attribute Output | Is data inside HTML attributes encoded properly? | Yes / No |
| URL Output | Are values placed into URLs URL encoded? | Yes / No |
| JavaScript Context | Is untrusted data avoided or safely handled inside JavaScript? | Yes / No |
| Raw HTML | Is unsafe raw HTML rendering avoided for user content? | Yes / No |
| Sanitization | If limited HTML is allowed, is a trusted sanitizer used? | Yes / No |
Example
INPUT userComment
safeComment = HTML_ENCODE(userComment)
DISPLAY safeComment inside web page
3. Authentication Checklist
Authentication verifies who the user is.
| Check | Question | Done? |
|---|---|---|
| Protected Pages | Are protected pages available only after login? | Yes / No |
| Login Validation | Are login inputs validated before processing? | Yes / No |
| Generic Error | Does login use a generic error message like “Invalid username or password”? | Yes / No |
| Failed Attempts | Are repeated failed login attempts monitored or controlled? | Yes / No |
| MFA | Is Multi-Factor Authentication considered for sensitive accounts? | Yes / No |
| Logout | Does logout properly end the user session? | Yes / No |
4. Authorization Checklist
Authorization checks what an authenticated user is allowed to do.
| Check | Question | Done? |
|---|---|---|
| Role Check | Are role-based permissions checked before protected actions? | Yes / No |
| Backend Enforcement | Are authorization checks enforced on the backend? | Yes / No |
| Least Privilege | Are users given only the permissions they need? | Yes / No |
| Ownership Check | Can users access only their own records unless allowed by role? | Yes / No |
| Admin Actions | Are admin-only actions protected properly? | Yes / No |
| Denied Access | Are denied access scenarios tested? | Yes / No |
Example
FUNCTION deleteStudent(currentUser, studentId)
IF currentUser.role is not "Admin" THEN
RETURN "Access denied"
END IF
DELETE student record
RETURN "Student deleted"
END FUNCTION
5. Password Handling Checklist
Passwords must be handled carefully during registration, login, update, reset, and storage.
| Check | Question | Done? |
|---|---|---|
| No Plain Text | Are passwords never stored as plain text? | Yes / No |
| Secure Hashing | Are passwords stored using trusted password hashing? | Yes / No |
| Salt | Is a unique salt used where applicable? | Yes / No |
| No Password Logs | Are passwords excluded from logs? | Yes / No |
| Password Reset | Do reset links or codes expire and avoid sending old passwords? | Yes / No |
| No Hardcoding | Are passwords and secrets kept out of source code? | Yes / No |
6. Session and Token Security Checklist
Sessions and tokens represent authenticated access and must be protected.
| Check | Question | Done? |
|---|---|---|
| Token Protection | Are tokens stored and transmitted securely? | Yes / No |
| Expiration | Do sessions or tokens expire appropriately? | Yes / No |
| Logout | Are sessions invalidated after logout? | Yes / No |
| Secure Cookies | Are secure cookie settings used where applicable? | Yes / No |
| Re-Authentication | Are users asked to re-authenticate for highly sensitive actions? | Yes / No |
7. Database Security Checklist
Database-related code should be checked carefully because databases often contain sensitive application data.
| Check | Question | Done? |
|---|---|---|
| Parameterized Queries | Are SQL queries using parameterized queries or prepared statements? | Yes / No |
| No Raw Concatenation | Is raw user input avoided in SQL string concatenation? | Yes / No |
| Input Validation | Are IDs, filters, search values, and sort fields validated? | Yes / No |
| Allowlist Sorting | Are sort columns and fixed query options allowlisted? | Yes / No |
| Least Privilege | Does the database account have only required permissions? | Yes / No |
| Error Safety | Are database error details hidden from users? | Yes / No |
Example
INPUT studentId
IF studentId is not a number OR studentId <= 0 THEN
DISPLAY "Invalid student ID"
STOP
END IF
query = "SELECT * FROM students WHERE student_id = ?"
result = EXECUTE_PARAMETERIZED_QUERY(query, studentId)
DISPLAY result
8. Error Handling Checklist
Errors should be handled safely without exposing internal system details.
| Check | Question | Done? |
|---|---|---|
| Safe User Messages | Are users shown generic and safe error messages? | Yes / No |
| No Stack Trace | Are stack traces hidden from users? | Yes / No |
| No System Paths | Are internal file paths, database names, and server details hidden? | Yes / No |
| Controlled Failure | Does the application fail safely when something goes wrong? | Yes / No |
| Internal Logging | Are technical details logged securely for developers? | Yes / No |
Unsafe Error
Database connection failed at /internal/config/db_line_42
Safer Error
Something went wrong while processing your request.
Please try again later.
9. Logging Checklist
Logs should help debugging and monitoring without exposing sensitive data.
Do Not Log
- Passwords.
- Secret keys.
- Full tokens.
- Payment details.
- Private personal data.
- Sensitive session values.
Safer Logging
- Log event type.
- Log safe error reference ID.
- Log access denied events.
- Log failed login attempts safely.
- Mask sensitive values.
- Restrict log access.
10. Secrets Management Checklist
Secrets include passwords, API keys, private keys, tokens, and database credentials.
| Check | Question | Done? |
|---|---|---|
| No Hardcoded Secrets | Are secrets kept out of source code? | Yes / No |
| Secure Storage | Are secrets stored in environment variables or secret managers? | Yes / No |
| No Repository Exposure | Are secrets excluded from repositories and shared files? | Yes / No |
| Secret Rotation | Can secrets be changed or rotated when needed? | Yes / No |
| Access Control | Can only authorized people or services access secrets? | Yes / No |
Bad Practice
apiKey = "my-secret-api-key"
databasePassword = "AdminPassword123"
Better Practice
apiKey = GET_SECRET("PAYMENT_API_KEY")
databasePassword = GET_SECRET("DATABASE_PASSWORD")
11. File Upload Checklist
File uploads can be risky if files are not checked properly.
| Check | Question | Done? |
|---|---|---|
| Allowed Types | Are only required file types allowed? | Yes / No |
| File Size | Is maximum file size checked? | Yes / No |
| File Name | Is the original file name treated as untrusted? | Yes / No |
| Safe Storage | Are uploaded files stored in a controlled location? | Yes / No |
| No Execution | Are uploaded files prevented from executing as code? | Yes / No |
| Scanning | Are uploaded files scanned where required? | Yes / No |
12. Dependency Checklist
Applications often depend on libraries, frameworks, packages, and plugins. These must be managed securely.
| Check | Question | Done? |
|---|---|---|
| Trusted Source | Are dependencies from trusted sources? | Yes / No |
| Updated Packages | Are dependencies kept updated? | Yes / No |
| Unused Packages | Are unused dependencies removed? | Yes / No |
| Security Scan | Are dependency vulnerabilities checked with tools where available? | Yes / No |
| License Awareness | Are third-party components reviewed for allowed usage? | Yes / No |
13. Secure Configuration Checklist
Configuration mistakes can create security risks even when the code is good.
| Check | Question | Done? |
|---|---|---|
| Debug Mode | Is debug mode disabled in production? | Yes / No |
| Default Accounts | Are default accounts and default passwords removed or changed? | Yes / No |
| HTTPS | Is sensitive communication protected using HTTPS? | Yes / No |
| Security Headers | Are relevant security headers considered for web applications? | Yes / No |
| Private Repositories | Are code repositories private where required? | Yes / No |
| Patch Updates | Are systems and frameworks updated with security patches? | Yes / No |
14. Code Review Checklist
Security should be part of code review, not only functional testing.
Security Review Questions
- Does this code validate all external input?
- Does this code encode output safely?
- Does this code use parameterized queries?
- Does this code avoid hardcoded secrets?
- Does this code protect authentication logic?
- Does this code enforce authorization on the backend?
- Does this code avoid logging sensitive data?
- Does this code handle errors safely?
- Does this code use trusted libraries?
- Does this code include useful test cases?
15. Security Testing Checklist
Secure coding should be supported by testing.
| Test Area | What to Test |
|---|---|
| Input Validation | Normal, invalid, empty, boundary, and unexpected values. |
| Authorization | Allowed and denied access scenarios. |
| Authentication | Valid login, invalid login, empty credentials, repeated failures. |
| Password Handling | Password reset, password update, and storage behavior. |
| SQL Injection Prevention | Database features using parameterized query approach. |
| XSS Prevention | Output paths where user input is displayed. |
| Error Handling | Whether technical details are hidden from users. |
Student-Friendly Example: Secure Student Portal Checklist
Suppose students are building a Student Portal project. They can use the following security checklist.
| Feature | Secure Coding Check |
|---|---|
| Student Login | Use safe password handling and generic login error messages. |
| Marks Entry | Validate marks between 0 and 100. |
| Report View | Students can view only their own reports unless authorized. |
| Comment Box | Encode comments before displaying them. |
| Search Student | Use parameterized queries and validate student ID. |
| File Upload | Validate file type, size, and storage location. |
| Error Page | Show safe error messages without internal details. |
Real-World Example: E-Commerce Secure Coding Checklist
| Feature | Secure Coding Check |
|---|---|
| Product Search | Validate input and use parameterized database queries. |
| Product Review | Encode output before displaying user reviews. |
| Checkout | Validate quantity, price, coupon, and payment state. |
| Order History | Check order ownership before showing order details. |
| Admin Panel | Require authentication, authorization, and least privilege. |
| Payment Token | Never log or expose sensitive payment-related values. |
| API Calls | Use HTTPS, authentication, authorization, and safe error handling. |
Final Secure Coding Submission Checklist
Students can copy this final checklist before submitting a project.
Final Review
- All user inputs are validated.
- All untrusted output is encoded before display.
- Passwords are not stored as plain text.
- Secrets are not hardcoded in source code.
- Authentication is required for protected features.
- Authorization is checked before sensitive actions.
- SQL queries use parameterized query style.
- Sessions and tokens are protected.
- Error messages shown to users are safe.
- Logs do not contain sensitive information.
- File uploads are validated.
- Dependencies are trusted and updated.
- Debug mode is disabled in production.
- Security-related test cases are included.
- Code has been reviewed for common security mistakes.
Common Beginner Mistakes
Mistakes
- Using a checklist only after the project is complete.
- Validating only on the frontend.
- Assuming login means full access.
- Storing passwords directly.
- Displaying user input directly.
- Building SQL queries using raw input.
- Showing technical errors to users.
- Logging passwords, tokens, or secret keys.
- Ignoring dependency updates.
- Skipping security review because the code works.
Better Habits
- Use checklist during design, coding, testing, and review.
- Validate on backend logic.
- Check authorization for every protected action.
- Use secure password hashing.
- Encode output based on context.
- Use parameterized queries.
- Use safe error messages.
- Mask or avoid sensitive log values.
- Keep dependencies updated.
- Make security part of code review.
Best Practices for Using a Secure Coding Checklist
Recommended Practices
- Use the checklist before writing code to plan secure design.
- Use the checklist while coding to avoid common mistakes.
- Use the checklist during code review.
- Use the checklist before deployment.
- Adapt the checklist to the project type.
- Keep the checklist simple enough for students to use regularly.
- Include both functional tests and security tests.
- Review authentication, authorization, input, output, and database logic carefully.
- Do not treat the checklist as a replacement for learning security concepts.
- Update the checklist as students learn new security topics.
Prerequisites Before Using This Checklist
Students should understand the following topics before using this checklist deeply:
Required Knowledge
- Basic programming syntax.
- Variables and data types.
- Functions or methods.
- Input validation.
- Output encoding.
- Authentication basics.
- Authorization basics.
- Password handling basics.
- SQL Injection concept.
- Cross-site Scripting concept.
- Testing and code review basics.
Practice Activity: Review the Code Using Checklist
Use the secure coding checklist to review the following pseudocode.
databasePassword = "Admin123"
FUNCTION searchStudent(studentId)
query = "SELECT * FROM students WHERE student_id = " + studentId
result = RUN query
DISPLAY result
END FUNCTION
FUNCTION showComment(comment)
DISPLAY comment inside web page
END FUNCTION
FUNCTION deleteStudent(studentId)
DELETE student record
RETURN "Deleted"
END FUNCTION
Expected Security Issues
Issues:
1. Database password is hardcoded.
2. studentId is not validated.
3. SQL query uses raw input concatenation.
4. Comment is displayed without output encoding.
5. deleteStudent has no authentication or authorization check.
6. Error handling and logging are not shown.
7. Least privilege is not considered.
Improved Concept
databasePassword = GET_SECRET("DATABASE_PASSWORD")
FUNCTION searchStudent(studentId)
IF studentId is not a number OR studentId <= 0 THEN
RETURN "Invalid student ID"
END IF
query = "SELECT * FROM students WHERE student_id = ?"
result = EXECUTE_PARAMETERIZED_QUERY(query, studentId)
RETURN result
END FUNCTION
FUNCTION showComment(comment)
IF comment is empty THEN
RETURN "Invalid comment"
END IF
safeComment = HTML_ENCODE(comment)
DISPLAY safeComment inside web page
END FUNCTION
FUNCTION deleteStudent(currentUser, studentId)
IF currentUser.role is not "Admin" THEN
RETURN "Access denied"
END IF
DELETE student record
RETURN "Deleted"
END FUNCTION
Practice Test Cases
| Test Case | Scenario | Expected Result |
|---|---|---|
| TC_001 | Valid student ID search | Record searched safely using parameterized query. |
| TC_002 | Invalid student ID | Invalid student ID. |
| TC_003 | Comment contains HTML-like characters | Displayed as text after encoding. |
| TC_004 | Student tries to delete a record | Access denied. |
| TC_005 | Admin deletes a record | Deleted. |
Mini Quiz
What is a secure coding checklist?
A secure coding checklist is a structured list of security checks used to review whether code follows secure programming practices.
Why is input validation important?
Input validation helps reject unexpected or unsafe data before it is processed by the application.
Why is output encoding important?
Output encoding helps display untrusted data as text instead of executable browser content.
What should be checked before a protected action?
The application should check authentication and authorization before allowing protected actions.
Why should secrets not be hardcoded?
Hardcoded secrets can be exposed through source code, repositories, logs, or accidental sharing.
Interview Questions on Secure Coding Checklist
What are the major areas of a secure coding checklist?
Major areas include input validation, output encoding, authentication, authorization, password handling, session management, database security, error handling, logging, file upload security, dependency management, and secure configuration.
How does a checklist help during code review?
A checklist gives reviewers a structured way to check common security risks instead of relying only on memory.
Why should authorization be checked on the backend?
Frontend controls can be bypassed, so protected actions must be checked on trusted backend logic.
What is the checklist item for SQL Injection prevention?
Use parameterized queries or prepared statements and avoid raw string concatenation with user input.
What is the checklist item for XSS prevention?
Encode untrusted output based on context and avoid unsafe raw HTML rendering.
Quick Summary
| Checklist Area | Main Reminder |
|---|---|
| Input Validation | Check type, length, range, format, and allowed values. |
| Output Encoding | Encode untrusted data before displaying it. |
| Authentication | Verify user identity securely. |
| Authorization | Check permissions before protected actions. |
| Password Handling | Never store plain-text passwords. |
| Database Security | Use parameterized queries. |
| Logging | Do not log sensitive data. |
| Secrets | Never hardcode credentials or API keys. |
| Dependencies | Use trusted and updated packages. |
| Configuration | Disable unsafe defaults and production debug details. |
Final Takeaway
A secure coding checklist helps developers build safer applications by turning security concepts into practical review questions. Students should use the checklist during design, coding, testing, and code review. The most important habits are validating input, encoding output, protecting authentication, enforcing authorization, handling passwords safely, using parameterized queries, avoiding hardcoded secrets, hiding internal errors, avoiding sensitive logs, validating file uploads, updating dependencies, and reviewing code for security mistakes. Secure coding becomes easier when students treat security as a regular development habit, not an extra task at the end.