Security checklist
Purpose
Section titled “Purpose”Support security sign-off by mapping controls to implementation notes.
| Item | Status guidance | Owner |
|---|---|---|
| SQL injection | Prefer frappe.db.sql with bindings; review any f-string SQL (e.g. legacy helpers in api/user.py helpers) | Dev |
| XSS | xss_safe flags on whitelisted methods where set; review Guest APIs returning HTML | Dev |
| CSRF | Follow Frappe version CSRF rules for /api | Framework + Dev |
| HTTPS | Terminate TLS at reverse proxy / Cloudflare | Ops |
| Password hashing | Frappe User password storage | Framework |
| Rate limiting | Reverse proxy / Frappe limits | Ops |
| Secrets in env | Site config, not git | Ops |
| Audit trail | Doc revision log, optional custom audit DocTypes | Dev |
| Guest endpoints | Many allow_guest=True APIs — inventory and harden (API inventory) | Dev |
| Secrets in source | Audit the codebase for hardcoded API keys / OAuth client secrets (e.g. integration helpers in large DocType controllers); rotate leaked keys and move to site config or secrets — never commit new credentials | Dev + Ops |
Operational notes
Section titled “Operational notes”- Rotate integration keys on a schedule; document in client IT runbook.