academia/docs/OWASP_CHECKLIST.md

# OWASP Top 10 Security Checklist

## Estado: Validado

| # | Vulnerabilidad | Mitigación Implementada | Ubicación |
|---|---------------|-------------------------|-----------|
| A01 | **Broken Access Control** | No aplica (sin autenticación requerida) | N/A |
| A02 | **Cryptographic Failures** | HTTPS forzado en producción (HSTS) | `Program.cs:127` |
| A03 | **Injection** | FluentValidation + Regex sanitization, EF Core parameterized queries | `CreateStudentValidator.cs`, `EnrollStudentValidator.cs` |
| A04 | **Insecure Design** | Clean Architecture, input validation en todas las capas | Arquitectura por capas |
| A05 | **Security Misconfiguration** | Security headers (CSP, X-Frame-Options, etc.), Exception details disabled in prod | `Program.cs:106-130`, `GraphQLExtensions.cs:53` |
| A06 | **Vulnerable Components** | Dependencias actualizadas (.NET 10, Angular 21) | `*.csproj`, `package.json` |
| A07 | **Auth Failures** | No aplica (sin autenticación en este MVP) | N/A |
| A08 | **Data Integrity Failures** | Input validation, FluentValidation, GraphQL type safety | Validators |
| A09 | **Security Logging Failures** | Serilog structured logging, sensitive data filtering | `appsettings.json:38-45` |
| A10 | **Server-Side Request Forgery** | No endpoints que acepten URLs externas | N/A |

## Medidas de Seguridad Implementadas

### Backend (.NET)

1. **Input Validation**
   - FluentValidation con regex patterns
   - Sanitización de HTML/scripts
   - Longitud máxima de campos
   - Validación de formato email

2. **Security Headers**
   - `Content-Security-Policy`
   - `X-Content-Type-Options: nosniff`
   - `X-Frame-Options: DENY`
   - `Referrer-Policy: strict-origin-when-cross-origin`
   - `Permissions-Policy`
   - `Strict-Transport-Security` (producción)

3. **Rate Limiting**
   - 100 requests/minuto para queries GraphQL
   - 30 mutations/minuto
   - Queue limit para prevenir acumulación

4. **GraphQL Security**
   - Query depth limit: 5 niveles
   - Query complexity limit: 100
   - Execution timeout: 30 segundos
   - Pagination max: 50 items

5. **Logging Seguro**
   - Filtrado de datos sensibles (passwords, tokens)
   - Structured logging con Serilog
   - Rotación de logs (7 días)

### Frontend (Angular)

1. **XSS Prevention**
   - Angular sanitization por defecto
   - Content Security Policy

2. **CSRF Protection**
   - No cookies de sesión (stateless GraphQL)

3. **Secure Communication**
   - Solo HTTPS en producción
   - GraphQL sobre HTTPS

## Pruebas de Seguridad Recomendadas

```bash
# Test security headers
curl -I http://localhost:5000/graphql

# Test rate limiting (debe retornar 429 después de 100 requests)
for i in {1..150}; do curl -s -o /dev/null -w "%{http_code}\n" http://localhost:5000/graphql; done

# Test query depth (debe fallar con depth > 5)
curl -X POST http://localhost:5000/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{ students { enrollments { subject { professor { subjects { name } } } } } }"}'
```
docs: add project documentation and env template Environment: - .env.example template with all configuration variables - Database, API, GraphQL, and frontend settings Documentation: - Architecture Decision Records (ADR-001 to ADR-004) - Deployment guide with Docker and K8s instructions - OWASP security checklist - Code review checklist - Activity plan and deliverables Architecture diagrams (PlantUML): - Use cases, domain model, sequence diagrams - Component, ER, state, and deployment diagrams - C4 context diagram 2026-01-08 04:00:56 +00:00			`# OWASP Top 10 Security Checklist`

			`## Estado: Validado`

			`\| # \| Vulnerabilidad \| Mitigación Implementada \| Ubicación \|`
			`\|---\|---------------\|-------------------------\|-----------\|`
			`\| A01 \| Broken Access Control \| No aplica (sin autenticación requerida) \| N/A \|`
			\| A02 \| Cryptographic Failures \| HTTPS forzado en producción (HSTS) \| `Program.cs:127` \|
			\| A03 \| Injection \| FluentValidation + Regex sanitization, EF Core parameterized queries \| `CreateStudentValidator.cs`, `EnrollStudentValidator.cs` \|
			`\| A04 \| Insecure Design \| Clean Architecture, input validation en todas las capas \| Arquitectura por capas \|`
			\| A05 \| Security Misconfiguration \| Security headers (CSP, X-Frame-Options, etc.), Exception details disabled in prod \| `Program.cs:106-130`, `GraphQLExtensions.cs:53` \|
			\| A06 \| Vulnerable Components \| Dependencias actualizadas (.NET 10, Angular 21) \| `*.csproj`, `package.json` \|
			`\| A07 \| Auth Failures \| No aplica (sin autenticación en este MVP) \| N/A \|`
			`\| A08 \| Data Integrity Failures \| Input validation, FluentValidation, GraphQL type safety \| Validators \|`
			\| A09 \| Security Logging Failures \| Serilog structured logging, sensitive data filtering \| `appsettings.json:38-45` \|
			`\| A10 \| Server-Side Request Forgery \| No endpoints que acepten URLs externas \| N/A \|`

			`## Medidas de Seguridad Implementadas`

			`### Backend (.NET)`

			`1. Input Validation`
			`- FluentValidation con regex patterns`
			`- Sanitización de HTML/scripts`
			`- Longitud máxima de campos`
			`- Validación de formato email`

			`2. Security Headers`
			- `Content-Security-Policy`
			- `X-Content-Type-Options: nosniff`
			- `X-Frame-Options: DENY`
			- `Referrer-Policy: strict-origin-when-cross-origin`
			- `Permissions-Policy`
			- `Strict-Transport-Security` (producción)

			`3. Rate Limiting`
			`- 100 requests/minuto para queries GraphQL`
			`- 30 mutations/minuto`
			`- Queue limit para prevenir acumulación`

			`4. GraphQL Security`
			`- Query depth limit: 5 niveles`
			`- Query complexity limit: 100`
			`- Execution timeout: 30 segundos`
			`- Pagination max: 50 items`

			`5. Logging Seguro`
			`- Filtrado de datos sensibles (passwords, tokens)`
			`- Structured logging con Serilog`
			`- Rotación de logs (7 días)`

			`### Frontend (Angular)`

			`1. XSS Prevention`
			`- Angular sanitization por defecto`
			`- Content Security Policy`

			`2. CSRF Protection`
			`- No cookies de sesión (stateless GraphQL)`

			`3. Secure Communication`
			`- Solo HTTPS en producción`
			`- GraphQL sobre HTTPS`

			`## Pruebas de Seguridad Recomendadas`

			```bash
			`# Test security headers`
			`curl -I http://localhost:5000/graphql`

			`# Test rate limiting (debe retornar 429 después de 100 requests)`
			`for i in {1..150}; do curl -s -o /dev/null -w "%{http_code}\n" http://localhost:5000/graphql; done`

			`# Test query depth (debe fallar con depth > 5)`
			`curl -X POST http://localhost:5000/graphql \`
			`-H "Content-Type: application/json" \`
			`-d '{"query":"{ students { enrollments { subject { professor { subjects { name } } } } } }"}'`
			```