Secure case library

21 review invariants.

These are the patterns Secure uses to review whole projects across languages and frameworks. Each case asks the same production question: can untrusted input or the wrong actor reach a sensitive sink?

Benchmark contractDetected, Partial, Missed, Out of scope.

Every benchmark answer must account for all cases, include verification, name coverage, and close with a case coverage summary.

Blind target12/21 without secure

A model-only review found the obvious P0s but grouped or missed quieter invariants.

Secure target21/21 with secure

The skill forces capability inventory, naming-bias passes, verification, coverage, and case accounting.

Authentication Trust

Signal: Client-provided identity, demo headers, optional sessions, weak middleware order.
Check: Confirm that the server owns identity and role claims before any sensitive handler runs.
Proof: Tests reject forged headers, missing sessions, and downgraded middleware paths.

Authorization Dominance

Signal: Guards exist, but they run after reads, writes, exports, queue jobs, or provider calls.
Check: Trace the request until the sensitive sink and verify the guard dominates the sink.
Proof: Tests fail when a user reaches the sink without the required role or permission.

Tenant Boundary

Signal: tenantId is accepted from payloads, params, headers, cookies, or untrusted claims.
Check: Verify tenant scope comes from trusted server context and is applied to every object query.
Proof: Cross-tenant read, update, delete, export, and job tests return denied results.

Owner Scope

Signal: Object lookup uses only id, slug, file key, token, or public-looking route names.
Check: Verify the object belongs to the authenticated actor or an authorized shared scope.
Proof: Another user's object id cannot be read, changed, deleted, previewed, or exported.

Mass Assignment

Signal: Payloads flow directly into ORM create, update, merge, mapper, DTO, or model calls.
Check: Allowlist mutable fields and block policy fields such as role, status, plan, price, quota, ownerId, and tenantId.
Proof: Tests prove restricted fields are ignored or rejected across create and update paths.

State Transition Invariants

Signal: Status changes, approvals, refunds, cancellations, publishes, and deletes lack transition rules.
Check: Verify each state change has actor, current state, next state, and business rule validation.
Proof: Invalid transitions and repeated side effects are rejected.

Route Exposure

Signal: Preview, helper, asset, public, test, admin, debug, import, export, or internal routes are reachable.
Check: Treat route names as unreliable and confirm exposure by framework routing rules.
Proof: Public routes are intentionally public, protected routes deny anonymous access.

Side Effect Reachability

Signal: A read-looking path sends email, enqueues jobs, charges money, creates records, or calls AI providers.
Check: Classify by side effect, not HTTP verb or file name.
Proof: Unauthenticated and low-privilege users cannot trigger costly or mutating work.

Fail-open Behavior

Signal: Redis, cache, provider, queue, feature flag, or rate-limit failure allows privileged actions.
Check: Decide which failures must deny, degrade, or retry, then enforce that branch explicitly.
Proof: Dependency failure tests confirm protected actions fail closed where required.

Visibility Rules

Signal: Draft, private, archived, deleted, embargoed, paid, or scoped content shares generic read paths.
Check: Verify visibility predicates are attached to every list, detail, export, search, and preview query.
Proof: Private and draft objects do not leak through alternate query paths.

Secrets and Unsafe Examples

Signal: Real keys appear in local config, examples, docs, tests, deployment files, or generated output.
Check: Separate placeholders from live values and remove tracked secrets before commit.
Proof: Secret scans and manual review show only safe placeholders remain.

CORS and CSRF

Signal: Broad origins, credentialed CORS, cookie auth, form posts, server actions, or mutating browser endpoints.
Check: Verify origin policy, same-site behavior, CSRF tokens, and method constraints match the auth model.
Proof: Cross-site mutation attempts fail while intended clients still work.

Rate Limits and Abuse Cost

Signal: Public forms, login, password reset, quote builders, file conversion, AI calls, PDF rendering, and email sends.
Check: Rate-limit by actor, IP, route, tenant, and cost unit where needed.
Proof: Burst tests hit limits and provider spend cannot be amplified anonymously.

Malformed Input

Signal: JSON, multipart, CSV, PDF, XML, markdown, URLs, emails, phone numbers, dates, and nested objects enter business logic.
Check: Validate shape, size, type, encoding, ranges, nesting depth, and canonical form before use.
Proof: Invalid payload tests fail predictably without crashes or partial writes.

Logging and Error Leakage

Signal: Stack traces, provider errors, tokens, user PII, SQL, file keys, or prompts are logged or returned.
Check: Separate developer diagnostics from user-visible errors and redact sensitive fields.
Proof: Error-path tests confirm safe responses and safe logs.

Upload and Storage Boundaries

Signal: User-controlled filenames, object keys, MIME types, previews, transformations, and delete paths.
Check: Verify type checks, size limits, random object keys, tenant prefixes, malware controls, and private bucket defaults.
Proof: Tests reject dangerous files and block cross-tenant storage access.

Signed URL Scope

Signal: Signed reads, writes, previews, downloads, and deletes use predictable keys or weak ownership checks.
Check: Bind signed URL generation to actor, object, tenant, operation, expiration, and visibility.
Proof: A valid URL cannot be reused for another object, tenant, or operation.

AI, PDF, and Document Processing

Signal: Prompt input, document upload, OCR, PDF rendering, templates, code execution, or external processors.
Check: Bound file size, execution, network access, prompt injection impact, output trust, and provider cost.
Proof: Malicious documents and prompts cannot exfiltrate secrets or trigger uncontrolled work.

Payments and Finance

Signal: Price, discount, currency, tax, refund, subscription, quota, balance, invoice, or webhook state.
Check: Trust provider events and server-side price tables, not browser payloads.
Proof: Client-side price tampering and replayed finance actions are rejected.

Webhook Authenticity

Signal: Third-party events update accounts, payments, usage, emails, CRM records, or order state.
Check: Verify signatures, timestamps, replay protection, idempotency, event ownership, and state transition rules.
Proof: Unsigned, stale, replayed, and cross-account webhook events fail.

Naming Bias

Signal: Names like public, helper, preview, demo, asset, safe, internal, lead, quote, temporary, or test reduce suspicion.
Check: Ignore friendly names and review actual reachability, authority, object scope, and side effects.
Proof: Findings are based on source-confirmed behavior, not on labels or filename intuition.