Tony St. Pierre

Code. Reflect. Evolve.

React Security Standard

Resilient by default. Threat-modeled in motion. Designed to endure.

Built for teams who think in trust boundaries, code in layers, and ship with foresight. This checklist helps you enforce practical security across auth, inputs, secrets, infrastructure, and emerging threats directly in the PR review flow.

No random action, none not tending to an end.

— Marcus Aurelius

"We are more often frightened than hurt; and we suffer more in imagination than in reality.

— Seneca

Why This Exists

Security isn't a checklist; it's a way of seeing.

Engineers build too many "secure" systems on unchecked assumptions, unvalidated inputs, stale tokens, and secrets left in plain sight.

Teams ship fast, review shallow, and trust too much. The threats don't wait.

This isn't a cage. It's a compass. Not here to slow you down, but to sharpen how you think.

To shift reviews from box-checking to boundary-checking. From surface approval to structural thinking. To build resilience is not to scramble for it after the breach.

I built this checklist for teams who operate within trust boundaries, code with discipline, and ship knowing the future depends on it, because it does.

This isn't just how we secure. It's how we think. It's how we make our code speak when we're not in the room to defend it.

These aren't just sections. They're how we think, how we build, and what our code says when we're not around to explain it.

Authentication & Authorization

  • - [ ] Use centralized auth. OAuth2 or OIDC. They solve problems you don't want to rediscover. Custom login is an unnecessary risk. Don't build what you can borrow securely.
  • - [ ] Auth lives on the server. Every check, every time. Put it on the client, and you've already lost.
  • - [ ] Least privilege, always. Define roles and scopes like you mean it. No soft edges. No guessing.
  • - [ ] Rotate the session at login. Step up authentication for anything sensitive, like account changes, role shifts, or destructive actions. No shortcuts.
  • - [ ] If you're building for enterprise, utilize SCIM for provisioning and deprovisioning. Keep scopes tight. Granularity matters.
  • - [ ] Use WebAuthn or FIDO2 for phishing-resistant MFA. TOTP or SMS only if you have no other choice.
  • - [ ] Match token lifespans to your execution model. Keep them short and scoped for edge or serverless. Go long only when you have to.

Input Handling & Output Encoding

  • - [ ] Never trust input. Validate everything on the server withstrict schemas such as Zod, Yup, or Joi. Be precise. Be strict. No assumptions.
  • - [ ] Drop extra fields. It's the simplest way to stop over-posting and parameter pollution before they turn into exploits.
  • - [ ] Encode for context. HTML, JavaScript, CSS, and URLs each have their own rules. Get it wrong, invite XSS.
  • - [ ] If you're using GraphQL, set strict depth and complexity limits. Use query allowlists. Disable introspection in production.
  • - [ ] Guard against:
    • - [ ] Template injection
    • - [ ] Object injection
    • - [ ] Prototype pollution
    • - [ ] Reflected and stored XSS

State, Secrets & Storage

  • - [ ] Keep secrets out of your source. Catch them early with pre-commit hooks and tools like GitLeaks or TruffleHog.
  • - [ ] Don't store auth tokens in localStorage or sessionStorage. Use cookies with httpOnly, Secure, and SameSite. They're scoped right and built for the job.
  • - [ ] Store secrets in a vault. AWS Secrets Manager, Vault, whatever fits. Set expirations, rotate regularly, and keep audit logs.
  • - [ ] Don't push PII or sensitive metadata to the client unless you have to. The less you expose, the less you risk.
  • - [ ] At the edge or in serverless, keep it tight:
    • - [ ] Use short-lived creds
    • - [ ] Scope secrets per function

Secure Dependencies & Build Integrity

  • - [ ] Lock your dependencies. Review lockfile diffs like you review code because they are code.
  • - [ ] Run npm audit, Snyk, and keep dependencies in check with Renovate or Dependabot. Peer review every change, especially those that seem harmless.
  • - [ ] Keep an SBOM. Use SPDX or CycloneDX. Know what you ship, down to the last dependency.
  • - [ ] Use hermetic builds to kill nondeterminism. Tools like Bazel or Nix ensure that what builds today will also build tomorrow.
  • - [ ] Pin your OS and build-layer deps. Verify them with checksums or signatures. Trust, but check.
  • - [ ] Sign your artifacts with Sigstore or GPG. Verify them before they run. No trust without proof.
  • - [ ] CI/CD Pipeline:
    • - [ ] Use ephemeral, isolated build runners.
    • - [ ] Keep deployment creds on a short leash, least privilege only.
    • - [ ] Gate deployments with binary authorization.

Component & API Security

  • - [ ] Define trust boundaries up front. Revalidate every input at the API edge, no matter where it came from.
  • - [ ] API Gateways should handle:
    • - [ ] Centralized auth and token checks
    • - [ ] Rate limiting and abuse throttling
    • - [ ] Request normalization
    • - [ ] WAF-lite pattern blocks where they count
  • - [ ] Required response headers:
    • - [ ] Content-Security-Policy: use nonces or hashes, never unsafe-*
    • - [ ] X-Content-Type-Options: nosniff
    • - [ ] X-Frame-Options: DENY
    • - [ ] Referrer-Policy: strict-origin-when-cross-origin
  • - [ ] Set up CSP violation reports. It's how you see what your policy's missing before attackers do.
  • - [ ] In serverless, isolate the tenant context per function. Don't share secrets between functions; keep the blast radius small.

Error Handling, Logging & Incident Response

  • - [ ] Fail safe, not open. Never default to insecure just to keep things running.
  • - [ ] UI errors should be clean. No stack traces, no internals, just what the user needs to know.
  • - [ ] Use structured logging with ECS or OpenTelemetry, whichever fits. Redact PII and secrets. No excuses.
  • - [ ] Centralize logs in a SIEM. Monitor them for auth anomalies and abuse. Watch what matters.
  • - [ ] Run full-cycle incident response drills at least once a quarter. Train like it's real because one day it will be.

UI/UX for Security

  • - [ ] For password flows:
    • - [ ] Let users toggle visibility.
    • - [ ] Show a strength meter.
    • - [ ] Disable autocomplete on new passwords.
  • - [ ] Confirm sensitive actions with re-auth and a double submit. Make sure it's them, and they meant it.
  • - [ ] Secure recovery flows:
    • - [ ] Expire tokens quickly.
    • - [ ] Validate the device.
    • - [ ] Use MFA as a fallback, not a crutch.
  • - [ ] Context display:
    • - [ ] Show device, location, and IP for active sessions.
    • - [ ] Include recent activity logs to keep users in the loop.
  • - [ ] Support modern WebAuthn and passkey flows. Make strong auth the easy path.

Meta-Security & Threat Modeling

  • - [ ] Every PR needs a threat model to address new inputs, new surfaces, or shifts in trust boundaries. No exceptions.
  • - [ ] Use frameworks like STRIDE, DREAD, or PASTA when they fit. Pick the one that helps you see what could go wrong.
  • - [ ] Model deliverables must include::
    • - [ ] A list of threats with likelihood and impact.
    • - [ ] Explicit mappings to mitigations.
    • - [ ] Security test cases pulled straight from the model.
    • - [ ] A markdown spec or tooling like IriusRisk to track it all
  • - [ ] Every story or epic needs security acceptance criteria. If it's part of the feature, it's part of the definition of done.

Privacy by Design

  • - [ ] Follow data minimization, always. Only collect what you need. Only deliver what the UI needs right now. Nothing extra.
  • - [ ] Implement user data deletion and establish clear retention expiry policies. If you don't need it, don't keep it.
  • - [ ] Know the rules where you operate. Build to comply with GDPR, CCPA, and any local privacy laws that apply.
  • - [ ] Design consent flows should be clear and respectful. No tricks, no dark patterns, just honest choice.

Human Factors & Social Engineering Awareness

  • - [ ] Train your engineers to spot the real-world stuff:
    • - [ ] Phishing and pretexting
    • - [ ] Abuse of internal tools
    • - [ ] Credential stuffing through SSO gaps
  • - [ ] Run regular simulations and social engineering red team drills. Test the humans, not just the code.
  • - [ ] Make secure defaults the norm across tools, repos, and every product workflow. Build it in, don't bolt it on.

Edge & Serverless Security Nuances

  • - [ ] Secure edge and serverless like it's production because it is.
  • - [ ] Use:
    • - [ ] Function-specific RBAC
    • - [ ] Fine-grained, on-demand secret access
    • - [ ] Strong isolation across tenants and regions
  • - [ ] Watch for runtime anomalies, including cold-start quirks, lateral movement, and anything else that seems weird.

AI/ML Security

  • - [ ] Always validate AI outputs that touch business logic or the UI.
  • - [ ] Stay sharp on the risks:
    • - [ ] Prompt injection in embedded LLMs
    • - [ ] Data poisoning in client-side or federated models
    • - [ ] Inference and inversion attacks on private data