Security Checklist on Code reviews

Everyone should do/are doing code reviews, but how many are actively thinking about security? Because of this, I’ve tried to make a checklist with things that should be checked on a new feature, from (my perspective) security point of view:

Checklist

Input Validations

1. All inputs from users are validated ( length, format, range, and are enforced by appropriate limits)?
2. Are flaws in regular expressions that may cause problems with the validation of the inputs?
3. Is “exact match” used (and if it’s not possible was the content checked to accept only expected values)?
4. Are the inputs that contain harmful information (such as js scripts or SQL queries) rejecting the values?
5. Are the XML documents validated by their schemas?
6. Are SQL queries dynamically created using the user input?
7. Is data validated both on the server-side and client-side?
8. Are HTTP headers validated for each request?
9. On file upload, is the validation of the content of the file also (not only the extension)?

Authentification

1. Are the sessions handled as they should?
2. Does the error messages leak information ( for example “Password is wrong” )
3. Are the brute force attacks or invalid logins logged correctly and without leaking information?
4. Do you have a lockout mechanism implemented and a rate limit?
5. Are the password saved using some encryption, hashing and salts?

Authorization

1. Is the authorization checked on each request?
2. Is the endpoint/page/resource denied by default?
3. Are correct roles set for accessing each resource?
4. Can the authorization or authentication be manipulated using scripts, cookies, SQL or other kinds of manipulation?

Session management

1. If there are parameters passed using query strings, are they validated?
2. Do the cookies and the session expire?
3. Are the cookies encrypted?
4. Is the session storage secure?
5. Does the app handle as it should the invalid session ids?
6. Is the logout invalidating the session?
7. After a session is made invalid, all the access to resources is denied?
8. Is the app using SSL and do not pass sensitive information from or to non-SSL pages?

Exception Handling

1. Do all the methods throw correct exceptions?
2. Does the error shown to the user include stack trace, ids or other sensitive information?
3. Is the app still secure after an exception is thrown?
4. Are exceptions never shown to the users?
5. Is in place a rollback and trace mechanism after a crash occurs?
6. Are all the actions of the user logged?
7. Sensitive actions like changing a password are logged?

Also, a good check would be https://owasp.org/www-project-top-ten/and do not forget to check the components not to have known vulnerabilities.