Review Packet: Security and Reliability
When to use
Use this packet for auth/session changes, user-generated content, raw HTML, third-party scripts, CORS changes, sensitive forms, account workflows, payments, permissions, and partial-outage risks.
Intake questions
- What attacker-controlled input reaches the browser?
- Which DOM, URL, storage, network, or script sinks can it influence?
- What sensitive data appears in HTML, JavaScript, storage, logs, or analytics?
- Where is authorization enforced?
- What happens when a critical API is slow, unavailable, or returns partial data?
- What is the user-safe retry and rollback behavior?
Required artifacts
- Browser threat model.
- Auth/session and permission flow.
- CSP/security header plan.
- Third-party script register.
- Failure/degradation matrix.
- Incident response notes.
Decision matrix
| Risk | Required control |
|---|---|
| XSS | Safe rendering, escaping, sanitization boundary, CSP, Trusted Types where applicable. |
| CSRF | SameSite cookies, CSRF tokens where needed, server validation. |
| Clickjacking/tabnabbing | Frame and opener policy. |
| CORS misuse | Origin rules plus server authorization; never use CORS as auth. |
| Partial outage | Scoped error boundaries, retries, degraded states, kill switches. |
Red flags
- Frontend role checks are treated as authorization.
- CSP is added after launch without report triage.
- Sensitive data is stored in long-lived browser storage.
- Retry logic can duplicate destructive actions.
- Error states erase user input.
Approval criteria
- Trust boundaries are explicit.
- Browser policies are specified.
- Sensitive data handling is minimized.
- Failure states preserve user intent.
- Incident path and owner are clear.
Example reviewer comments
- "This hides the button by role but the endpoint still needs server authorization. Please document the server enforcement."
- "The retry policy can submit the payment twice. Add idempotency and visible pending state."
- "This raw HTML path needs a named sanitization boundary and CSP rollout."
Example ADR prompt
Write an ADR covering the browser trust boundary, sensitive data handling, policy headers, failure states, authorization model, monitoring, and incident response.
Release readiness checklist
- Threat model reviewed.
- CSP/header policy defined.
- Sensitive data storage and logging checked.
- Degraded states designed.
- Incident and rollback path documented.