The Developer Security Checklist I Use Before Every Deploy

I keep a security checklist pinned to my monitor. It's saved me from shipping vulnerabilities at least a dozen times. Authentication & Sessions import bcrypt def hash_password ( plain_text ): salt = bcrypt . gensalt ( rounds = 12 ) return bcrypt . hashpw ( plain_text . encode (), salt ) def verify_password ( plain_text , hashed ): return bcrypt . checkpw ( plain_text . encode (), hashed ) Checklist: [ ] Passwords hashed with bcrypt/scrypt/argon2 [ ] Session tokens are random, long, and expire [ ] Failed login attempts are rate-limited Input Validation import re def validate_email ( email ): pattern = r ' ^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ' if not re . match ( pattern , email ) or len ( email ) > 254 : raise ValueError ( " Invalid email format " ) return email . lower (). strip () SQL Injection Prevention # BAD query = f " SELECT * FROM users WHERE id = { user_id } " # GOOD cursor . execute ( " SELECT * FROM users WHERE id = %s " , ( user_id ,)) HTTP Security Headers add_