The big shifts
- A01 Broken Access Control stays at #1, broader scope
- A02 Cryptographic Failures absorbed parts of the old A05
- A03 Injection narrows — XSS moved into a dedicated category
- A04 Insecure Design keeps its slot — design-level review still distinct from code review
- A05 Security Misconfiguration — same scope, more emphasis on defaults
- A06 Vulnerable & Outdated Components — supply-chain reasoning expanded
- A07 Identification & Authentication Failures — session-token storage explicitly called out
- A08 Software & Data Integrity Failures — CI/CD, signed artifacts
- A09 Logging & Monitoring — same as before, but with detection-engineering language
- A10 SSRF moved up from honorable mention
What changed in our checklist
We added explicit tests for:
- Token storage on the client —
localStoragevshttpOnlycookies, with the assumption that a single XSS will exfiltrate any token JS can read - Build pipeline integrity — branch protections, signed releases, dependency provenance
- SSRF surface — webhook receivers, image-fetchers, URL-preview endpoints
- Edge-case CSP —
'unsafe-inline'analysis, hash-based vs nonce-based
How to use this list
The Top 10 isn't a compliance checklist. It's a memory aid. Walk every endpoint and ask, for each of the ten categories, could this fail here? If you can't answer with conviction, that endpoint is in scope for review.
// tags:
#owasp
#top 10
#reference