checklists
Security Regression Checklist.
Security & Permissions A release-ready security sign-off for QA — a fast pass across authentication, authorization, sessions, APIs, file upload, sensitive data, error handling and audit logs.
When to use this checklist
- Before a major release
- Before authentication, role or permission changes ship
- Before API or file-upload changes ship
- Before launching admin features
This is a release-ready security sign-off — a fast, repeatable pass across the highest-risk areas. It does not replace the detailed authentication, authorization and API security checklists; it is the regression layer you run every release to make sure nothing important regressed. Run it with controlled test accounts on an approved environment.
0/15
Access & identity
0/4Authentication, authorization and sessions still hold.
APIs & input
0/3Endpoints reject what they should.
Files & data
0/4Uploads, private files and sensitive data are protected.
Errors, logs & admin
0/4Errors stay quiet; sensitive actions are recorded.
Common Bugs
A regression re-opens a previously fixed access bug
A refactor removes a server-side permission check that a unit test did not cover. Keep authorization spot-checks in the regression pass and automate the high-value ones.
Admin page accessible by direct URL after a routing change
Navigation hides the admin link, but the route itself lost its guard. Always test the direct URL as a non-admin.
Email link reusable after a flow change
A change to the reset or invite flow drops the single-use or expiry rule. Re-test link reuse every release.
Recommended Tools
Keep a saved collection that runs the token, role and object-access checks each release.
Automate the high-value regressions: logout invalidation, direct-URL admin access, private-file access.
// Related resources