-
Notifications
You must be signed in to change notification settings - Fork 0
Rule Reference
Caspian-Explorer edited this page Mar 11, 2026
·
2 revisions
Caspian Security includes 164 security rules across 14 categories -- 93 code-detectable rules that use pattern matching and 71 informational rules that fire as reminders.
| Code | Rule | Severity | Type |
|---|---|---|---|
| AUTH001 | Hardcoded JWT secret detected | Error | Code |
| AUTH002 | Session configured without secure flags | Warning | Code |
| AUTH003 | Passwords compared with equality instead of constant-time | Error | Code |
| AUTH004 | Authentication bypass: permissive access control | Warning | Code |
| AUTH005 | Weak password policy: minimum length too short | Warning | Code |
| AUTH006 | Apply rate limiting to authentication endpoints | Info | Info |
| AUTH007 | Token stored in localStorage is vulnerable to XSS | Warning | Code |
| KT-AUTH001 | WebView has JavaScript enabled | Warning | Code |
| Code | Rule | Severity | Type |
|---|---|---|---|
| XSS001 | Use of innerHTML can lead to XSS | Error | Code |
| XSS002 | Dangerous use of document.write() | Error | Code |
| XSS003 | Unsanitized user input in HTML string concatenation | Warning | Code |
| XSS004 | Use of dangerouslySetInnerHTML in React | Warning | Code |
| XSS005 | Unescaped output in template engine | Warning | Code |
| XSS006 | Request parameters used without validation | Warning | Info |
| XSS007 | Angular security bypass function used | Warning | Code |
| XSS008 | Implement Content Security Policy headers | Info | Info |
| XSS009 | User input used without length validation | Warning | Info |
| XSS010 | User input in inline script context without encoding | Error | Code |
| XSS011 | User input in URL without encoding | Warning | Code |
| XSS012 | Request handler without Content-Type validation | Warning | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| CSRF001 | Form without CSRF token | Warning | Info |
| CSRF002 | CSRF protection explicitly disabled | Error | Code |
| CSRF003 | Cookie SameSite set to None | Warning | Code |
| CSRF004 | State-changing operation using GET method | Warning | Code |
| CSRF005 | Verify CSRF tokens on all state-changing endpoints | Info | Info |
| CSRF006 | CSRF token may not be cryptographically random | Warning | Code |
| CSRF007 | Ensure CSRF tokens expire and rotate per session | Info | Info |
| CSRF008 | Consider double-submit cookie pattern for CSRF | Info | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| CORS001 | CORS allows all origins (wildcard) | Error | Code |
| CORS002 | CORS credentials with permissive origin | Warning | Info |
| CORS003 | CORS origin reflected from request without validation | Error | Code |
| CORS004 | Overly permissive CORS methods | Warning | Code |
| CORS005 | Review CORS headers for least privilege | Info | Info |
| CORS006 | CORS preflight cache set too long | Warning | Code |
| Code | Rule | Severity | Type |
|---|---|---|---|
| ENC001 | Weak or deprecated cryptographic algorithm | Error | Code |
| ENC002 | Hardcoded encryption key or IV | Error | Code |
| ENC003 | HTTP used instead of HTTPS for external URL | Warning | Code |
| ENC004 | TLS/SSL certificate verification disabled | Error | Code |
| ENC005 | Weak random number generation for security purpose | Warning | Code |
| ENC006 | ECB mode detected (insecure block cipher mode) | Error | Code |
| ENC007 | Sensitive data logged or printed | Warning | Code |
| ENC008 | Ensure PII and sensitive fields are encrypted at rest | Info | Info |
| ENC009 | Missing or misconfigured HSTS header | Warning | Info |
| ENC010 | PII field logged without masking | Warning | Code |
| ENC011 | Ensure database backups are encrypted | Info | Info |
| ENC012 | GDPR compliance reminder | Info | Info |
| ENC012 | Ensure GDPR data export and deletion capabilities | Info | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| API001 | Ensure authentication middleware on API endpoints | Warning | Info |
| API002 | GraphQL introspection may be enabled in production | Warning | Code |
| API003 | Apply rate limiting to API routes | Info | Info |
| API004 | Verbose error details exposed to client | Warning | Code |
| API005 | Missing request body size limit | Warning | Code |
| API006 | Debug or development mode enabled | Warning | Code |
| API007 | Error stack trace exposed | Warning | Code |
| API008 | Validate API keys/tokens before processing | Info | Info |
| API009 | Ensure API keys have expiration and rotation | Info | Info |
| API010 | Possible IDOR: resource accessed without authz check | Warning | Info |
| API011 | Overly permissive or wildcard permissions | Warning | Code |
| API012 | Configure burst limits and rate limit headers | Info | Info |
| API013 | Differentiate rate limits for authed vs anonymous | Info | Info |
| API014 | Ensure DDoS protection is in place | Info | Info |
| API015 | Response may leak server technology via headers | Warning | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| DB001 | Potential SQL injection via string concatenation | Error | Code |
| DB002 | NoSQL injection: unsanitized input in query object | Error | Code |
| DB003 | Database connection string with embedded credentials | Error | Code |
| DB004 | ORM raw query with potential injection | Warning | Code |
| DB005 | Command injection in system/exec call | Error | Code |
| DB006 | SELECT * may over-fetch sensitive columns | Info | Info |
| DB007 | Review destructive SQL operations carefully | Info | Info |
| DB008 | Ensure database user has least-privilege access | Info | Info |
| DB009 | Test database backups regularly | Info | Info |
| DB010 | Enable database access logging and auditing | Info | Info |
| DB011 | Possible default or common database credentials | Error | Code |
| DB012 | Restrict database network access to app servers | Info | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| FILE001 | Path traversal: user input in file path | Error | Code |
| FILE002 | Validate file uploads for type, size, and content | Warning | Info |
| FILE003 | Temporary file with insecure permissions | Warning | Code |
| FILE004 | Symlink following may lead to path traversal | Warning | Code |
| FILE005 | World-writable file permissions | Warning | Code |
| FILE006 | File path constructed from user input | Error | Code |
| FILE007 | Store uploaded files outside the web root | Info | Info |
| FILE008 | File upload without virus/malware scanning | Warning | Info |
| FILE009 | Cloud storage bucket may be publicly accessible | Error | Code |
| FILE010 | Serve files through signed/pre-signed URLs | Info | Info |
| FILE011 | Restrict storage access to authenticated users | Info | Info |
| FILE012 | Executable file extension allowed in upload | Error | Code |
| FILE013 | Enable access logs for file storage | Info | Info |
| FILE014 | File type validated by extension only, not magic bytes | Warning | Code |
| KT-FILE001 | File created with world-readable or world-writable mode | Error | Code |
| Code | Rule | Severity | Type |
|---|---|---|---|
| CRED001 | Hardcoded password or secret assignment | Error | Code |
| CRED002 | AWS access key pattern detected | Error | Code |
| CRED003 | Private key content detected in source code | Error | Code |
| CRED004 | GitHub/GitLab personal access token pattern | Error | Code |
| CRED005 | Generic high-entropy secret in string literal | Warning | Code |
| CRED006 | Environment variable with sensitive default fallback | Warning | Code |
| CRED007 | Sensitive file reference -- ensure it is in .gitignore | Warning | Info |
| CRED008 | Rotate secrets regularly and audit access | Info | Info |
| CRED009 | Scan git history for leaked secrets | Info | Info |
| KT-CRED001 | Hardcoded API key or password in Kotlin source | Error | Code |
| Code | Rule | Severity | Type |
|---|---|---|---|
| FE001 | Unsafe eval() allows arbitrary code execution | Error | Code |
| FE002 | postMessage without origin validation | Warning | Code |
| FE003 | Links opened without rel="noopener noreferrer" | Warning | Info |
| FE004 | Insecure iframe without sandbox attribute | Warning | Code |
| FE005 | Script loaded from CDN without integrity check | Warning | Code |
| FE006 | Sensitive data stored via document.cookie | Warning | Code |
| FE007 | Prototype pollution: unsafe proto or constructor | Warning | Code |
| FE008 | Add Subresource Integrity for CDN resources | Info | Info |
| FE009 | Client-side validation is for UX only; server-side required | Info | Info |
| FE010 | window.open() with user-controlled URL | Warning | Code |
| Code | Rule | Severity | Type |
|---|---|---|---|
| BIZ001 | Premium feature check may be client-side only | Error | Info |
| BIZ002 | Verify payment success server-side before unlocking | Warning | Info |
| BIZ003 | Refund logic may allow duplicate refunds | Warning | Info |
| BIZ004 | Trial period logic may be exploitable | Warning | Info |
| BIZ005 | Revoke access on subscription cancellation | Info | Info |
| BIZ006 | Keep subscription state synced with payment processor | Info | Info |
| BIZ007 | Quota or usage limit may be client-side only | Warning | Info |
| BIZ008 | Usage tracking may rely on client-reported data | Warning | Code |
| BIZ009 | Ensure quota resets occur server-side | Info | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| LOG001 | Log all authentication attempts | Info | Info |
| LOG002 | Log all authorization failures | Info | Info |
| LOG003 | Log all admin and privileged operations | Info | Info |
| LOG004 | Log role/permission and payment/key changes | Info | Info |
| LOG005 | Password may be present in log output | Error | Code |
| LOG006 | API key or secret may be present in log output | Error | Code |
| LOG007 | Store logs securely with encryption | Info | Info |
| LOG008 | Restrict log access to admin/security personnel | Info | Info |
| LOG009 | Log data export and API key change operations | Info | Info |
| KT-LOG001 | Android log statement may expose sensitive data | Info | Code |
| Code | Rule | Severity | Type |
|---|---|---|---|
| DEP001 | Dependency version is not pinned to an exact version | Warning | Code |
| DEP002 | Keep dependencies updated regularly | Info | Info |
| DEP003 | Apply security patches within 48 hours | Info | Info |
| DEP004 | Run npm audit / pip-audit weekly | Info | Info |
| DEP005 | Identify and remediate known vulnerable dependencies | Info | Info |
| DEP006 | Monitor transitive dependencies for vulnerabilities | Info | Info |
| Code | Rule | Severity | Type |
|---|---|---|---|
| INFRA001 | Use separate databases, keys, and configs for dev and production | Info | Info |
| INFRA002 | Debug mode may be enabled in production configuration | Warning | Code |
| INFRA003 | Verbose or debug logging level may be active in production | Warning | Code |
| INFRA004 | Stack traces may be exposed in production configuration | Warning | Code |
| INFRA005 | Secret may be embedded in Docker image via ENV, ARG, or COPY | Error | Code |
| INFRA006 | Ensure secrets are not printed in build or CI logs | Warning | Info |
| INFRA007 | Source maps may be deployed to production | Warning | Code |
| INFRA008 | Test, seed, or mock data may be present in production code | Warning | Code |
| HDR001 | Missing X-Frame-Options header (clickjacking risk) | Warning | Info |
| Category | Rules | Code | Info |
|---|---|---|---|
| Authentication & Access Control | 10 | 9 | 1 |
| Input Validation & XSS | 20 | 15 | 5 |
| CSRF Protection | 9 | 4 | 5 |
| CORS Configuration | 6 | 4 | 2 |
| Encryption & Data Protection | 18 | 12 | 6 |
| API Security | 16 | 5 | 11 |
| Database Security | 14 | 7 | 7 |
| File Handling | 16 | 9 | 7 |
| Secrets & Credentials | 10 | 7 | 3 |
| Frontend Security | 13 | 9 | 4 |
| Business Logic & Payment | 9 | 1 | 8 |
| Logging & Monitoring | 11 | 4 | 7 |
| Dependencies & Supply Chain | 6 | 1 | 5 |
| Infrastructure & Deployment | 13 | 6 | 7 |
| Total | 164 | 93 | 71 |
Caspian Security
Run Anywhere
Features
Reference