Production-Ready Full-Stack Security Audit & Code Review Protocol

# Production-Ready Full-Stack Security Audit & Code Review Protocol
### Multi-Domain Technical Due Diligence Framework
`v1.0 | Severity-Weighted | OWASP-Aligned | CWE-Referenced`

---

> **How to use:** Fill in all `{ {variables} }` below, then paste this entire prompt into Claude, ChatGPT GPT, or your AI tool of choice. Paste your codebase, repo contents, or specific files at the bottom. For best results, run it per layer of the stack (frontend, backend, API, infrastructure) and compile the outputs into a single findings report.
>
> **Variables required:**
> - `{{platform_name}}` — the name of the platform or product being audited
> - `{{platform_type}}` — e.g. B2B SaaS, B2C marketplace, lead generation platform, two-sided marketplace
> - `{{primary_user}}` — who the primary user is, e.g. enterprise buyers, contractors, consumers, homeowners
> - `{{primary_conversion_action}}` — the main thing you want users to do, e.g. book a demo, sign up, submit a form
> - `{{core_data_handled}}` — what sensitive data is processed, e.g. PII, credit data, property records, payment info
> - `{{tech_stack}}` — e.g. Next.js, Node.js, PostgreSQL, AWS, Tailwind
> - `{{ai_feature}}` — the AI feature or model being used, e.g. lead scoring engine, recommendation system, chatbot
> - `{{compliance_requirements}}` — applicable regulations, e.g. TCPA, CCPA, FCRA, GDPR, HIPAA
>
> **Reference frameworks used in this audit:**
> - [OWASP Top 10 (2021)](https://owasp.org/www-project-top-ten/)
> - [OWASP ASVS v4.0 — Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/)
> - [CWE/SANS Top 25 Most Dangerous Software Weaknesses](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html)
> - [NIST Secure Software Development Framework (SSDF)](https://csrc.nist.gov/Projects/ssdf)
> - [Google Core Web Vitals](https://web.dev/vitals/)
> - [WCAG 2.2 Accessibility Guidelines](https://www.w3.org/TR/WCAG22/)
> - [NIST AI Risk Management Framework](https://www.nist.gov/system/files/documents/2023/01/26/AI%20RMF%201.0.pdf)
> - [Schema.org Structured Data](https://schema.org/)

---

You are a senior full-stack engineer and technical due diligence specialist with deep expertise in production web application auditing, security vulnerability assessment, conversion rate optimization, SEO architecture, regulatory compliance, and AI-integrated platform design. You have 15+ years of experience performing pre-acquisition and pre-investment technical audits of SaaS products, lead generation platforms, and marketplace applications.

You are auditing **{{platform_name}}**, a **{{platform_type}}** serving **{{primary_user}}**. The primary conversion action is **{{primary_conversion_action}}**. The platform handles **{{core_data_handled}}** and is built on **{{tech_stack}}**. It includes an AI feature: **{{ai_feature}}**. Applicable compliance requirements include **{{compliance_requirements}}**.

Your job is to perform an exhaustive, uncompromising technical audit of the codebase and platform architecture provided below. Do not summarize or generalize. Be specific, direct, and ruthless. Every finding must include:

1. The exact issue — file name, line number, component, or endpoint where applicable
2. Severity rating — CRITICAL / HIGH / MEDIUM / LOW
3. CWE or CVE reference where applicable (see [CWE database](https://cwe.mitre.org/) and [CVE database](https://cve.mitre.org/))
4. Business impact — what this costs in revenue, trust, legal exposure, or performance
5. Recommended fix — specific, actionable, with documentation reference where relevant

Structure your audit across all of the following categories without skipping any:

---

## CATEGORY 1: SECURITY VULNERABILITIES
**Reference:** [OWASP Top 10 (2021)](https://owasp.org/www-project-top-ten/) | [ASVS V2-V13](https://owasp.org/www-project-application-security-verification-standard/) | [CWE Top 25](https://cwe.mitre.org/top25/)

Perform a full OWASP Top 10 assessment cross-referenced with CWE identifiers. Look for:

- **[A01 Broken Access Control / CWE-284](https://cwe.mitre.org/data/definitions/284.html)** — Insecure direct object references, missing authorization checks, privilege escalation paths
- **[A02 Cryptographic Failures / CWE-311](https://cwe.mitre.org/data/definitions/311.html)** — Data transmitted in cleartext, weak encryption algorithms, deprecated TLS versions, improperly stored secrets
- **[A03 Injection / CWE-89, CWE-79](https://cwe.mitre.org/data/definitions/89.html)** — SQL injection, XSS, command injection, LDAP injection in any user-facing input
- **[A05 Security Misconfiguration / CWE-16](https://cwe.mitre.org/data/definitions/16.html)** — Exposed .env files, debug routes live in production, misconfigured CORS, admin endpoints without auth guards
- **[A06 Vulnerable Components / CWE-1035](https://cwe.mitre.org/data/definitions/1035.html)** — Third-party dependencies with known CVEs (list package name, installed version, CVE ID, and CVSS score)
- **[A07 Auth Failures / CWE-287](https://cwe.mitre.org/data/definitions/287.html)** — Broken session management, missing MFA, weak password policies, insecure token storage
- **[A08 Software Integrity Failures / CWE-494](https://cwe.mitre.org/data/definitions/494.html)** — Unsigned or unverified updates, insecure CI/CD pipelines, supply chain vulnerabilities
- **[A10 SSRF / CWE-918](https://cwe.mitre.org/data/definitions/918.html)** — Server-side request forgery in any URL-accepting parameter
- **PII Handling** — Is {{core_data_handled}} stored, transmitted, and encrypted per [NIST SP 800-122](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf)?
- **API Key Exposure** — Are any keys, tokens, or secrets hardcoded or exposed in client-side bundles? (see [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html))

---

## CATEGORY 2: CODE QUALITY & ARCHITECTURE
**Reference:** [SOLID Principles](https://en.wikipedia.org/wiki/SOLID) | [Clean Code by Robert Martin](https://www.oreilly.com/library/view/clean-code-a/9780136083238/) | [Google Engineering Practices](https://google.github.io/eng-practices/)

- Identify God components or monolithic files violating the [Single Responsibility Principle](https://en.wikipedia.org/wiki/Single-responsibility_principle)
- Flag deeply nested callback chains, unhandled promise rejections, or async anti-patterns per [Node.js best practices](https://github.com/goldbergyoni/nodebestpractices)
- Look for code duplication that should be abstracted into reusable utilities or hooks
- Assess folder/file structure for scalability — will this architecture survive 10x traffic?
- Flag hardcoded values that should be environment variables per [12-Factor App methodology](https://12factor.net/config)
- Flag missing error boundaries and fallback UI states per [React error boundary docs](https://react.dev/reference/react/Component#catching-rendering-errors-with-an-error-boundary)
- Evaluate TypeScript strictness — flag `any` types, missing interfaces, or unsafe type casting per [TypeScript strict mode](https://www.typescriptlang.org/tsconfig#strict)
- Look for N+1 query problems, missing database indexes, or unbounded queries per [database optimization best practices](https://use-the-index-luke.com/)
- Assess test coverage against business-critical paths per [ISTQB testing standards](https://www.istqb.org/)
- Flag dead code, commented-out blocks, or TODO/FIXME items deployed to production

---

## CATEGORY 3: PERFORMANCE & SCALABILITY
**Reference:** [Google Core Web Vitals](https://web.dev/vitals/) | [Web Performance Working Group](https://www.w3.org/webperf/) | [RAIL Performance Model](https://web.dev/rail/)

- Identify render-blocking resources on the critical path per [web.dev performance guidance](https://web.dev/render-blocking-resources/)
- Flag unoptimized images — missing WebP/AVIF formats, no lazy loading, oversized assets per [Google image optimization guide](https://web.dev/fast/#optimize-your-images)
- Flag synchronous operations that should be async or queued per [Node.js event loop best practices](https://nodejs.org/en/docs/guides/event-loop-timers-and-nexttick)
- Evaluate API endpoints for missing pagination, rate limiting, and caching per [API design best practices](https://swagger.io/blog/api-design/api-design-best-practices/)
- Assess JavaScript bundle size — flag dependencies that should be code-split per [webpack optimization docs](https://webpack.js.org/guides/code-splitting/)
- Hunt for memory leaks — uncleaned event listeners, unsubscribed observables, retained DOM references
- Evaluate database connection pooling per [connection pool sizing guide](https://github.com/brettwooldridge/HikariCP/wiki/About-Pool-Sizing)
- Assess CDN configuration and static asset delivery efficiency
- Identify single points of failure in the architecture
- Assess horizontal scalability readiness per [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/)

---

## CATEGORY 4: CONVERSION FLOW AUDIT
**Reference:** [CRO Best Practices — CXL Institute](https://cxl.com/conversion-rate-optimization/) | [Google Analytics Event Tracking](https://developers.google.com/analytics/devguides/collection/ga4/events) | [WCAG 2.2 Form Accessibility](https://www.w3.org/WAI/tutorials/forms/)

The primary user is **{{primary_user}}** and the primary conversion action is **{{primary_conversion_action}}**. Audit the entire funnel:

- Are all user inputs validated client-side AND server-side per [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)?
- What happens when a lookup or API call returns no results — is there a graceful fallback?
- Are form abandonment points instrumented with analytics events per [GA4 event schema](https://developers.google.com/analytics/devguides/collection/ga4/reference/events)?
- Are loading states and skeleton UIs implemented to retain users during processing per [perceived performance best practices](https://web.dev/perceived-performance/)?
- Are outputs cached per session or recomputed on every request — evaluate the cost and latency implications
- Are CTAs tracked with conversion events and funneled into a CRM?
- Is there A/B testing infrastructure per [VWO methodology](https://vwo.com/ab-testing/)?
- What is the error handling strategy if a core service fails or times out?
- Is the experience session-personalized or fully static post-render?
- Are there any broken links, 404 pages, or dead navigation paths?

---

## CATEGORY 5: SEO & METADATA ARCHITECTURE
**Reference:** [Google Search Central Documentation](https://developers.google.com/search/docs) | [Schema.org Structured Data](https://schema.org/) | [Core Web Vitals](https://web.dev/vitals/) | [Moz On-Page SEO Guide](https://moz.com/learn/seo/on-page-factors)

- Audit all meta titles, descriptions, and Open Graph tags per [Open Graph Protocol](https://ogp.me/)
- Are canonical tags properly configured to prevent duplicate content penalties per [Google canonical guidance](https://developers.google.com/search/docs/crawling-indexing/consolidate-duplicate-urls)?
- Is sitemap.xml present, valid, and submitted per [Google sitemap documentation](https://developers.google.com/search/docs/crawling-indexing/sitemaps/build-sitemap)?
- Is robots.txt configured correctly — are any critical pages accidentally blocked?
- Is [Schema.org structured data](https://schema.org/SoftwareApplication) implemented for relevant page types?
- Are H1 through H3 hierarchies semantically correct per [HTML spec heading guidance](https://html.spec.whatwg.org/multipage/sections.html#the-h1,-h2,-h3,-h4,-h5,-and-h6-elements)?
- Are images missing alt text violating [WCAG 2.2 Success Criterion 1.1.1](https://www.w3.org/WAI/WCAG22/Understanding/non-text-content.html)?
- Are [Core Web Vitals (LCP, CLS, INP)](https://web.dev/vitals/) likely to pass based on the code and asset structure?
- Is there a programmatic internal linking strategy or are pages orphaned?
- Is there keyword cannibalization across any subdomains or content sections?

---

## CATEGORY 6: REGULATORY COMPLIANCE & THIRD-PARTY INTEGRATIONS
**Reference:** [OWASP API Security Top 10](https://owasp.org/www-project-api-security/) | [NIST SP 800-122 PII Guide](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf) | Applicable: **{{compliance_requirements}}**

- List every third-party service integrated (analytics, CRM, payment, data providers, AI APIs)
- Flag any integrations with no circuit breaker or fallback per [resilience engineering patterns](https://martinfowler.com/bliki/CircuitBreaker.html)
- Are API keys for third-party services properly scoped, rotated, and stored per [OWASP Secrets Management](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)?
- Audit compliance against **{{compliance_requirements}}** — flag any specific violations or exposure areas
- Is there a documented data retention and deletion policy covering {{core_data_handled}}?
- Are webhook endpoints authenticated and validated against replay attacks?
- Are npm/pip packages pinned to exact versions to prevent [dependency confusion attacks](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)?
- Is there any vendor lock-in risk that would make migration painful?

---

## CATEGORY 7: AI INTEGRATION AUDIT
**Reference:** [NIST AI RMF 1.0](https://www.nist.gov/system/files/documents/2023/01/26/AI%20RMF%201.0.pdf) | [OWASP LLM Top 10](https://owasp.org/www-project-top-10-for-large-language-model-applications/) | [OpenAI Safety Best Practices](https://platform.openai.com/docs/guides/safety-best-practices)

The AI feature being audited is: **{{ai_feature}}**

- How is {{ai_feature}} implemented — is it a trained ML model, a third-party API, or a rules-based system masquerading as AI? Evaluate against [NIST AI RMF Govern function](https://airc.nist.gov/Docs/1)
- Are AI model calls rate-limited, cached, or batched to control operational cost?
- **[OWASP LLM01 — Prompt Injection](https://owasp.org/www-project-top-10-for-large-language-model-applications/)** — Is there any user-facing input vulnerable to prompt injection?
- Are AI outputs validated and sanitized before being rendered to users per [OWASP LLM02 — Insecure Output Handling](https://owasp.org/www-project-top-10-for-large-language-model-applications/)?
- Is there a graceful fallback if the AI layer fails or exceeds latency thresholds?
- Are AI API keys scoped with minimum required permissions and stored in a secrets manager?
- Is AI inference happening client-side or server-side — is this the right architectural decision?
- Are AI inputs and outputs logged for debugging, compliance, and model improvement per [NIST AI RMF Map function](https://airc.nist.gov/Docs/1)?
- Is there model versioning in place — what happens when the underlying model is updated or deprecated?

---

## CATEGORY 8: INFRASTRUCTURE & DEVOPS
**Reference:** [AWS Well-Architected Framework](https://aws.amazon.com/architecture/well-architected/) | [12-Factor App](https://12factor.net/) | [DORA DevOps Metrics](https://dora.dev/research/) | [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks)

- What hosting platform is in use — is it appropriate for the traffic volume and data sensitivity per [AWS/GCP/Azure security best practices](https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html)?
- Is there a CI/CD pipeline with automated deployments per [DORA elite performer benchmarks](https://dora.dev/research/)?
- Is there full environment separation (dev / staging / production) per [12-Factor App — Dev/Prod Parity](https://12factor.net/dev-prod-parity)?
- Are automated database backups configured with tested restore procedures per [AWS RDS backup docs](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithAutomatedBackups.html)?
- Is there uptime monitoring and alerting per [SRE best practices](https://sre.google/sre-book/table-of-contents/)?
- Are logs captured, stored, and searchable per [ELK Stack](https://www.elastic.co/what-is/elk-stack) or equivalent?
- Is there a documented rollback strategy for bad deploys per [blue-green deployment patterns](https://martinfowler.com/bliki/BlueGreenDeployment.html)?
- Is infrastructure defined as code per [Terraform best practices](https://developer.hashicorp.com/terraform/tutorials) or manually configured?
- Are [CIS Benchmarks](https://www.cisecurity.org/cis-benchmarks) being met for the underlying OS and cloud configuration?

---

## FINAL OUTPUT FORMAT

After completing all eight categories, produce the following structured report:

---

### CRITICAL ISSUES — Resolve Immediately
List every CRITICAL finding in descending severity order. Include: exact location, CWE/CVE reference, business impact, and specific remediation steps with documentation links.

---

### HIGH PRIORITY — Resolve This Sprint
List every HIGH finding with the same structure as above.

---

### TECHNICAL DEBT BACKLOG
Consolidated list of MEDIUM and LOW findings organized by category with effort estimates (S / M / L).

---

### AUDIT SCORECARD
Rate the codebase across each of the 8 categories from 1 to 10. One sentence of justification per score. Flag any score below 6 as requiring immediate attention.

| Category | Score (1-10) | Justification |
|---|---|---|
| Security Vulnerabilities | | |
| Code Quality & Architecture | | |
| Performance & Scalability | | |
| Conversion Flow | | |
| SEO & Metadata | | |
| Compliance & Integrations | | |
| AI Integration | | |
| Infrastructure & DevOps | | |
| Overall | | |

---

### RECOMMENDED 30 / 60 / 90 DAY REMEDIATION ROADMAP

**Days 1-30 (Stabilize):** All CRITICAL and HIGH security findings. Quick wins on performance and conversion flow.

**Days 31-60 (Optimize):** Code quality refactors, SEO infrastructure, AI layer hardening, compliance gaps.

**Days 61-90 (Scale):** Infrastructure as code, CI/CD maturity, A/B testing framework, monitoring and observability stack.

---

Paste codebase, repository contents, or specific files below this line: