Security Essentials

Use this skill before writing ANY security-sensitive code.

RULES — Quick Checklist

Apply every item before merging. See the named sections below for patterns and examples.

1. Atom exhaustion — never String.to_atom/1 on user input; use String.to_existing_atom/1 or an explicit case → Atom Table Exhaustion
2. SQL injection — never interpolate strings into Ecto queries; use ^variable or $1/$2 placeholders → SQL Injection
3. Open redirects — never redirect to user-controlled URLs; use ~p"..." or a whitelist → Open Redirects
4. XSS — avoid raw/1; sanitize with HtmlSanitizeEx if HTML is required → Cross-Site Scripting (XSS)
5. Sensitive data in logs — passwords, tokens, API keys, and PII must never appear in logs → Sensitive Data in Logs
6. Timing attacks — use Plug.Crypto.secure_compare/2 for token comparison; never == → Timing Attacks
7. CSRF — never disable Phoenix's built-in CSRF protection → CSRF Protection
8. Parameter tampering / IDOR — validate all user input at boundaries; verify ownership → Common Vulnerable Patterns
9. Dependency auditing — run mix deps.audit && mix hex.audit && mix sobelow before any merge → Dependency Auditing
10. Sobelow in CI — mix sobelow must pass in CI; fail on any HIGH or CRITICAL finding