🛡️ Developer Security Checklist

80+ interactive security checks across 10 categories. Includes AI/LLM Agent SecurityNEW — the first checklist to cover agentic AI risks.

F
Security Score0%
0 done 📋 0 total 🔴 0 critical remaining

📖 How to Use This Security Checklist

Review each category — Expand the 10 security categories (Authentication, HTTPS, API, Data, Server, AI/LLM, Secrets, Logging, Dependencies, CI/CD) and assess each item.
Check completed items — Tick off items your application already implements. Your grade updates in real-time from F to A+.
Prioritize by severity — Use the filter to focus on Critical and High items first. These represent the biggest security risks.
Share with your team — Click 🔗 Share to generate a URL with your progress, or export as Markdown for GitHub issues and PRs.

🏦 DonFlow — Budget Drift Detector

Plan your budget structure, import bank data, and see exactly where reality drifts from your plan. Zero accounts, zero cloud, 100% browser.

Try Live Demo →

❓ Frequently Asked Questions

What is a developer security checklist?
A structured list of 80+ security best practices across 10 categories: Authentication, HTTPS, API Security, Data Protection, Server Hardening, AI/LLM Agent Security, Secrets Management, Logging, Dependencies, and CI/CD. Each item is scored by severity (Critical → Low) and your overall posture gets an A-F grade.
What is AI/LLM Agent Security and why does it matter?
As AI agents gain tool access (file systems, APIs, databases), traditional checklists aren't enough. This category covers: prompt injection prevention, tool execution sandboxing, action allowlists, credential isolation, cost budgets, data exfiltration monitoring, and human-in-the-loop for destructive actions. See our AI Security Checklist for a deeper dive.
How do I prevent prompt injection attacks?
Defenses: (1) sanitize user inputs before embedding in prompts, (2) use system prompts with clear boundaries, (3) validate all LLM outputs before executing, (4) implement allowlists for agent tools, (5) red-team with adversarial prompts. Example: const safe = input.replace(/[<>{}]/g, '') before passing to an LLM.
What password hashing algorithm should I use?
Use Argon2id (Password Hashing Competition winner) as first choice. Alternatives: bcrypt (battle-tested) or scrypt (memory-hard). Never use MD5, SHA-1, or plain SHA-256 — they're too fast for password hashing. Test password strength with our Password Strength Analyzer.
Is my checklist data sent to any server?
No. Everything runs 100% in your browser. Progress is saved in localStorage — no accounts, no cloud sync, no data leaves your machine. Export as Markdown for offline use. Verify: open DevTools → Network tab → zero outbound requests.
How do I share my security audit with my team?
Click 🔗 Share to generate a URL encoding your checklist state. Your team opens it and sees the same checked/unchecked items. Also export as Markdown (great for GitHub issues/PRs).

🛠 More Free Developer Tools

Password Strength
Analyze password security
AI Security Checklist
LLM & agent security audit
JSON Formatter
Format, validate & minify JSON
JSON Error Explainer
Find & fix JSON errors instantly
JWT Decoder
Decode & inspect JWT tokens
Hash Generator
MD5, SHA-1, SHA-256, SHA-512
Password Generator
Generate strong passwords
Regex Tester
Test regex with live highlighting
Base64 Tool
Encode & decode Base64
URL Encoder
Encode & decode URLs
Keyword Mixer
Combine keywords for PPC
Cron Parser
Parse & explain cron expressions
Unix Timestamp
Convert timestamps instantly
Color Picker
Pick colors, convert HEX/RGB/HSL
QR Code Generator
Generate QR codes instantly
Lorem Ipsum Generator
Generate placeholder text

📬 Get Dev Tools & Tips Weekly

Free tools, automation tricks, and AI insights. No spam.