[
    {
        "description": "No API keys or secrets are stored in repository",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "The app does not provide password login",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "Passwords are not stored",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "No sensitive information (passwords, keys, user data, ...) is logged or traced",
        "responsibles": 1,
        "more": "[Logging guide](https://www.notion.so/panterch/Long-story-logging-022722bb878f4724ae5b49e17667b630?pvs=4#9e5a36b7158a4953b73ec6a345bd8989), [Tracing guide](https://www.notion.so/panterch/Long-story-tracing-d8a9ec1ac2ff4fa78cefa8991233224e?pvs=4#535121b5bf9741fbaf8654b4b64d879d)"
    },
    {
        "description": "Passwords are stored hashed with salt and salt is not stored in the repository",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/hash.md)"
    },
    {
        "description": "Input that ends up in DOM is properly sanitized",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/xss.md)"
    },
    {
        "description": "All user inputs have reasonable validations",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/validation.md)"
    },
    {
        "description": "The app is not using cookies",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
    },
    {
        "description": "The app is using cookies and cookies are properly configured",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
    },
    {
        "description": "The app uses JWT with a secret and the secret is not stored in the repository",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
    },
    {
        "description": "Authorization and user roles (RBAC) were reviewed thoroughly",
        "responsibles": 2,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/authorization.md)"
    },
    {
        "description": "CORS headers do not use `*`",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cors.md)"
    },
    {
        "description": "CSP headers are properly configured (no `unsafe-inline` or `unsafe-eval`)",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/csp.md)"
    },
    {
        "description": "DoS defense mechanism is implemented",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/dos.md)"
    },
    {
        "description": "YAML/XML parsing is not used or used YAML/XML parsers have disabled DTD",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/dos.md)"
    },
    {
        "description": "The app implements CSRF prevention",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/csrf.md)"
    },
    {
        "description": "The app has a rate limitter",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "The app has disabled GraphQL introspection and schema registry",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/graphql.md)"
    },
    {
        "description": "The app has set GraphQL complexity query limits",
        "responsibles": 1,
        "more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/graphql.md)"
    },
    {
        "description": "`sitemap.xml` does not leak any routes with sensitive data",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "Cloud storage is (private) configured to not leak any sensitive data publicly",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "Security Dashboard checks weekly vulnerable dependencies https://dep.panter.swiss/",
        "responsibles": 1,
        "more": ""
    },
    {
        "description": "The app has `.well-known/security.txt` https://securitytxt.org/",
        "responsibles": 1,
        "more": ""
    }
]
