A01: Broken Access Control holds the #1 spot as the most critical web application security risk.

Access control ensures that users cannot act outside of their intended permissions. When it is "broken," an attacker can perform actions they shouldn't be allowed to, such as accessing other users' files, viewing sensitive data, or gaining administrative privileges.

Broken Access Control isn't just one bug; it’s a category that covers over 30 different weaknesses (CWEs). Common examples include:

• Insecure Direct Object References (IDOR): An attacker changes a parameter in a URL (e.g., app/user/123 to app/user/124) to view someone else's private account data.
• Vertical Privilege Escalation: A regular user accesses a restricted admin page by simply guessing the URL (e.g., /admin/config).
• Horizontal Privilege Escalation: A user accesses resources belonging to another user with the same permission level.
• Metadata Manipulation: An attacker modifies a JSON Web Token (JWT) or a cookie to change their role from "user" to "admin."
• CORS Misconfiguration: Improperly configured Cross-Origin Resource Sharing that allows unauthorized API access from untrusted origins.

How to prevent it:

• Prevention must happen on the server-side. Never trust the client (browser) to enforce security.
• Deny by Default: Start with zero permissions and explicitly grant access only to what is necessary.
• Principle of Least Privilege (PoLP): Ensure users and programs have only the minimum privileges necessary to complete their tasks.
• Centralized Access Control: Implement your authorization logic in a single, reusable module rather than scattering "if/else" checks throughout your code.
• Disable Directory Listing: Ensure web servers don't list file contents of directories and remove metadata (like .git) from the web root.
• Use Unique Identifiers: Avoid predictable IDs (like 1, 2, 3); use UUIDs to make it harder for attackers to guess resource locations.

CORS (Cross-Origin Resource Sharing): A browser security feature that uses HTTP headers to tell browsers whether a web application running at one origin has permission to access resources from a different origin.

XSS (Cross-Site Scripting): An attack where malicious scripts are injected into trusted websites.Sanitization: The process of cleaning user input (removing <script> tags, etc.) to prevent XSS.

Content Security Policy (CSP): An added layer of security that helps detect and mitigate XSS and data injection attacks by defining which dynamic resources are allowed to load.

JWT (JSON Web Token): An open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of a Header, Payload, and Signature.

Development Workflow & Testing

Git Flow Methodology:

A branching model for release management:

• Master/Main: Production-ready code.
• Develop: Integration branch for features.
• Feature branches: For specific new features.
• Hotfix branches: For quick production bug fixes.

npm ci (Clean Install): Used in automated environments (CI/CD). It is faster than npm install, deletes the node_modules folder first, and strictly follows the package-lock.json file.

Test Pyramid: A framework that suggests you should have many low-level Unit Tests, fewer Integration Tests, and even fewer high-level End-to-End (E2E) Tests.