Engineering

Security Code Review Prompt

Twelve security checks — injection, auth, secrets, SSRF, privilege escalation — reviewed the way an attacker would read the code.

Overview

Generic reviews miss security issues because security needs its own questions: not "is this clean?" but "is authorization checked per resource, not just per login? do any outbound requests use user-controlled URLs?". This setup runs the security focus — twelve attacker-minded checks covering injection vectors, XSS encoding, hardcoded secrets, logging leaks, weak crypto, insecure deserialization, path traversal, and SSRF — under Strict style: every finding flagged, no praise padding, APPROVED or CHANGES REQUIRED.

Workflow

Run it on the scary paths first
Auth middleware, payment handlers, file uploads — the places where a missed finding costs the most.
Treat CRITICALs as merge blockers
The severity rules already say it: vulnerabilities are CRITICAL, and CRITICAL means fixed before merge.
Re-review after the fix
Same prompt, fixed code — security fixes have a habit of introducing their own findings.

Why This Works

Attacker-framing ("review this the way an attacker would read it") changes what the model looks for
Named vectors (SSRF, path traversal, deserialization) beat "check for security issues"
Strict style suits security: a flattering review of vulnerable code is worse than none

Best for

Pre-release reviews of security-sensitive paths
Teams without a dedicated security reviewer on every PR
Code that touches auth, payments, file handling, or user input

Not for

A substitute for a professional penetration test — this raises the floor, not the ceiling
Fixing the findings — review judges; the fix is a separate, deliberate step

Use cases

Reviewing auth and input-handling code before a release
Catching the injection vector a feature-focused review skims past
Checking AI-suggested code for the security corners it cut

Customize This Resource

Opens this setup in Code Review Prompt Generator. Generate to get the full review contract — then adjust the focus, scope, language, and style.

Open in Code Review Prompt Generator

Prompt Template

REVIEW OBJECTIVE
Review the authentication and input-handling code for security issues before the release.
Primary focus: security — review this the way an attacker would read it.
Review only — report findings; do not rewrite the code.

REVIEW SCOPE
You are reviewing a complete file — judge both the code and the file's structure: imports, ordering, and what this file owns.

REVIEW CRITERIA
- Authentication and authorization on every entry point
- Input validation and sanitization for all external data
- Injection vectors: SQL, command, template, path
- Secrets handling, sensitive data exposure, logging leaks
- Privilege escalation and trust-boundary violations

SEVERITY RULES
- Tag every finding with exactly one severity: [CRITICAL], [MAJOR], [MINOR], or [NIT].
- CRITICAL: must be fixed before merge — bugs, vulnerabilities, data loss.
- MAJOR: should be fixed — real risk or real debt.
- MINOR: worth fixing — small risk or friction.
- NIT: style preference; fixing is optional.
- Severity reflects impact, not effort to fix.

REVIEW CHECKLIST
Work through every item; report only the items that fail:
1. Is authentication enforced on every entry point — no forgotten routes?
2. Is authorization checked per resource (not just "is logged in")?
3. Is all external input validated and sanitized before use?
4. Any SQL/command/template injection vectors (string-built queries or commands)?
5. Is output encoded where it reaches HTML/JS contexts (XSS)?
6. Any hardcoded secrets, keys, or tokens in the code?
7. Is sensitive data (passwords, tokens, PII) kept out of logs?
8. Is cryptography standard-library and current — no homemade or weak algorithms?
9. Any privilege escalation paths — user-controlled IDs reaching admin operations?
10. Any insecure deserialization of external data?
11. Are file operations safe from path traversal?
12. Do any outbound requests use user-controlled URLs (SSRF)?

REQUIRED OUTPUT FORMAT
- One finding per bullet: [SEVERITY] location — what is wrong and why it matters.
- Group findings by severity, CRITICAL first.
- Cite the exact line, function, or symbol for every finding.
- Do not mention checklist items that pass — findings only.
- Flag every finding, regardless of size.
- No praise padding — findings only.

FINAL VERDICT
- End with a verdict: APPROVED or CHANGES REQUIRED — and list the findings that block approval.
- Base the verdict only on the findings listed above.

CODE TO REVIEW
[Paste the file here]

Related Resources

Explore more resources that work well with this one.