Skip to content

Rule Reference

Caspian-Explorer edited this page Feb 7, 2026 · 2 revisions

Rule Reference

Caspian Security includes 133 security rules across 14 categories -- 74 code-detectable rules that use pattern matching and 59 informational rules that fire as reminders.


Authentication & Access Control (7 rules)

Code Rule Severity Type
AUTH001 Hardcoded JWT secret detected Error Code
AUTH002 Session configured without secure flags Warning Code
AUTH003 Passwords compared with equality instead of constant-time Error Code
AUTH004 Authentication bypass: permissive access control Warning Code
AUTH005 Weak password policy: minimum length too short Warning Code
AUTH006 Apply rate limiting to authentication endpoints Info Info
AUTH007 Token stored in localStorage is vulnerable to XSS Warning Code

Input Validation & XSS (11 rules)

Code Rule Severity Type
XSS001 Use of innerHTML can lead to XSS Error Code
XSS002 Dangerous use of document.write() Error Code
XSS003 Unsanitized user input in HTML string concatenation Warning Code
XSS004 Use of dangerouslySetInnerHTML in React Warning Code
XSS005 Unescaped output in template engine Warning Code
XSS006 Request parameters used without validation Warning Info
XSS007 Angular security bypass function used Warning Code
XSS008 Implement Content Security Policy headers Info Info
XSS009 User input used without length validation Warning Info
XSS010 User input in inline script context without encoding Error Code
XSS011 User input in URL without encoding Warning Code

CSRF Protection (7 rules)

Code Rule Severity Type
CSRF001 Form without CSRF token Warning Info
CSRF002 CSRF protection explicitly disabled Error Code
CSRF003 Cookie SameSite set to None Warning Code
CSRF004 State-changing operation using GET method Warning Code
CSRF005 Verify CSRF tokens on all state-changing endpoints Info Info
CSRF006 CSRF token may not be cryptographically random Warning Code
CSRF007 Ensure CSRF tokens expire and rotate per session Info Info

CORS Configuration (6 rules)

Code Rule Severity Type
CORS001 CORS allows all origins (wildcard) Error Code
CORS002 CORS credentials with permissive origin Warning Info
CORS003 CORS origin reflected from request without validation Error Code
CORS004 Overly permissive CORS methods Warning Code
CORS005 Review CORS headers for least privilege Info Info
CORS006 CORS preflight cache set too long Warning Code

Encryption & Data Protection (12 rules)

Code Rule Severity Type
ENC001 Weak or deprecated cryptographic algorithm Error Code
ENC002 Hardcoded encryption key or IV Error Code
ENC003 HTTP used instead of HTTPS for external URL Warning Code
ENC004 TLS/SSL certificate verification disabled Error Code
ENC005 Weak random number generation for security purpose Warning Code
ENC006 ECB mode detected (insecure block cipher mode) Error Code
ENC007 Sensitive data logged or printed Warning Code
ENC008 Ensure PII and sensitive fields are encrypted at rest Info Info
ENC009 Missing or misconfigured HSTS header Warning Info
ENC010 PII field logged without masking Warning Code
ENC011 Ensure database backups are encrypted Info Info
ENC012 Ensure GDPR data export and deletion capabilities Info Info

API Security (14 rules)

Code Rule Severity Type
API001 Ensure authentication middleware on API endpoints Warning Info
API002 GraphQL introspection may be enabled in production Warning Code
API003 Apply rate limiting to API routes Info Info
API004 Verbose error details exposed to client Warning Code
API005 Missing request body size limit Warning Code
API006 Debug or development mode enabled Warning Code
API007 Error stack trace exposed Warning Code
API008 Validate API keys/tokens before processing Info Info
API009 Ensure API keys have expiration and rotation Info Info
API010 Possible IDOR: resource accessed without authz check Warning Info
API011 Overly permissive or wildcard permissions Warning Code
API012 Configure burst limits and rate limit headers Info Info
API013 Differentiate rate limits for authed vs anonymous Info Info
API014 Ensure DDoS protection is in place Info Info

Database Security (12 rules)

Code Rule Severity Type
DB001 Potential SQL injection via string concatenation Error Code
DB002 NoSQL injection: unsanitized input in query object Error Code
DB003 Database connection string with embedded credentials Error Code
DB004 ORM raw query with potential injection Warning Code
DB005 Command injection in system/exec call Error Code
DB006 SELECT * may over-fetch sensitive columns Info Info
DB007 Review destructive SQL operations carefully Info Info
DB008 Ensure database user has least-privilege access Info Info
DB009 Test database backups regularly Info Info
DB010 Enable database access logging and auditing Info Info
DB011 Possible default or common database credentials Error Code
DB012 Restrict database network access to app servers Info Info

File Handling (14 rules)

Code Rule Severity Type
FILE001 Path traversal: user input in file path Error Code
FILE002 Validate file uploads for type, size, and content Warning Info
FILE003 Temporary file with insecure permissions Warning Code
FILE004 Symlink following may lead to path traversal Warning Code
FILE005 World-writable file permissions Warning Code
FILE006 File path constructed from user input Error Code
FILE007 Store uploaded files outside the web root Info Info
FILE008 File upload without virus/malware scanning Warning Info
FILE009 Cloud storage bucket may be publicly accessible Error Code
FILE010 Serve files through signed/pre-signed URLs Info Info
FILE011 Restrict storage access to authenticated users Info Info
FILE012 Executable file extension allowed in upload Error Code
FILE013 Enable access logs for file storage Info Info
FILE014 File type validated by extension only, not magic bytes Warning Code

Secrets & Credentials (9 rules)

Code Rule Severity Type
CRED001 Hardcoded password or secret assignment Error Code
CRED002 AWS access key pattern detected Error Code
CRED003 Private key content detected in source code Error Code
CRED004 GitHub/GitLab personal access token pattern Error Code
CRED005 Generic high-entropy secret in string literal Warning Code
CRED006 Environment variable with sensitive default fallback Warning Code
CRED007 Sensitive file reference -- ensure it is in .gitignore Warning Info
CRED008 Rotate secrets regularly and audit access Info Info
CRED009 Scan git history for leaked secrets Info Info

Frontend Security (9 rules)

Code Rule Severity Type
FE001 Unsafe eval() allows arbitrary code execution Error Code
FE002 postMessage without origin validation Warning Code
FE003 Links opened without rel="noopener noreferrer" Warning Info
FE004 Insecure iframe without sandbox attribute Warning Code
FE005 Script loaded from CDN without integrity check Warning Code
FE006 Sensitive data stored via document.cookie Warning Code
FE007 Prototype pollution: unsafe proto or constructor Warning Code
FE008 Add Subresource Integrity for CDN resources Info Info
FE009 Client-side validation is for UX only; server-side required Info Info

Business Logic & Payment Security (9 rules)

Code Rule Severity Type
BIZ001 Premium feature check may be client-side only Error Info
BIZ002 Verify payment success server-side before unlocking Warning Info
BIZ003 Refund logic may allow duplicate refunds Warning Info
BIZ004 Trial period logic may be exploitable Warning Info
BIZ005 Revoke access on subscription cancellation Info Info
BIZ006 Keep subscription state synced with payment processor Info Info
BIZ007 Quota or usage limit may be client-side only Warning Info
BIZ008 Usage tracking may rely on client-reported data Warning Code
BIZ009 Ensure quota resets occur server-side Info Info

Logging & Monitoring (9 rules)

Code Rule Severity Type
LOG001 Log all authentication attempts Info Info
LOG002 Log all authorization failures Info Info
LOG003 Log all admin and privileged operations Info Info
LOG004 Log role/permission and payment/key changes Info Info
LOG005 Password may be present in log output Error Code
LOG006 API key or secret may be present in log output Error Code
LOG007 Store logs securely with encryption Info Info
LOG008 Restrict log access to admin/security personnel Info Info
LOG009 Log data export and API key change operations Info Info

Dependencies & Supply Chain (6 rules)

Code Rule Severity Type
DEP001 Dependency version is not pinned to an exact version Warning Code
DEP002 Keep dependencies updated regularly Info Info
DEP003 Apply security patches within 48 hours Info Info
DEP004 Run npm audit / pip-audit weekly Info Info
DEP005 Identify and remediate known vulnerable dependencies Info Info
DEP006 Monitor transitive dependencies for vulnerabilities Info Info

Infrastructure & Deployment (8 rules)

Code Rule Severity Type
INFRA001 Use separate databases, keys, and configs for dev and production Info Info
INFRA002 Debug mode may be enabled in production configuration Warning Code
INFRA003 Verbose or debug logging level may be active in production Warning Code
INFRA004 Stack traces may be exposed in production configuration Warning Code
INFRA005 Secret may be embedded in Docker image via ENV, ARG, or COPY Error Code
INFRA006 Ensure secrets are not printed in build or CI logs Warning Info
INFRA007 Source maps may be deployed to production Warning Code
INFRA008 Test, seed, or mock data may be present in production code Warning Code

Summary

Category Rules Code Info
Authentication & Access Control 7 6 1
Input Validation & XSS 11 8 3
CSRF Protection 7 4 3
CORS Configuration 6 4 2
Encryption & Data Protection 12 7 5
API Security 14 5 9
Database Security 12 6 6
File Handling 14 7 7
Secrets & Credentials 9 6 3
Frontend Security 9 5 4
Business Logic & Payment 9 1 8
Logging & Monitoring 9 2 7
Dependencies & Supply Chain 6 1 5
Infrastructure & Deployment 8 5 3
Total 133 74 59

Clone this wiki locally