Manual Code Review
Analysis
Manual code review is essential for finding complex logic flaws that automated tools miss. Focus on authentication, authorization, input validation, and business logic.
Code Review Checklist
markdown
# Manual Code Review Checklist
## 1. Authentication & Session Management
- [ ] Password complexity requirements enforced?
- [ ] Account lockout after failed attempts?
- [ ] Session tokens cryptographically random?
- [ ] Session timeout configured?
- [ ] Logout functionality properly destroys session?
- [ ] Remember me uses secure tokens?
## 2. Authorization
- [ ] All endpoints check user permissions?
- [ ] Direct object references validated (IDOR)?
- [ ] Role-based access control enforced?
- [ ] API endpoints require authentication?
- [ ] File uploads restricted by user role?
## 3. Input Validation
- [ ] All user input validated (whitelist preferred)?
- [ ] SQL queries use parameterized statements?
- [ ] XSS prevention (output encoding)?
- [ ] File uploads check content type and extension?
- [ ] Size limits on all inputs?
- [ ] Path traversal prevented (../)?
## 4. Cryptography
- [ ] Strong algorithms (AES-256, RSA-2048+)?
- [ ] No hardcoded keys or passwords?
- [ ] Proper random number generation (SecureRandom)?
- [ ] Passwords hashed with bcrypt/Argon2?
- [ ] TLS 1.2+ enforced?
## 5. Error Handling
- [ ] Generic error messages (no stack traces)?
- [ ] Logs don't contain sensitive data?
- [ ] Exceptions caught and handled?
## 6. Business Logic
- [ ] Race conditions checked?
- [ ] Price/quantity manipulation prevented?
- [ ] Workflow sequence enforced?
- [ ] Rate limiting on critical functions?Follow the Data Flow
Trace user input from entry point (HTTP request, API call) through the application to output (database, response).
Look for points where input isn't validated or output isn't encoded.