SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Glossary/OWASP Top 10
Vulnerability Patterns

OWASP Top 10

Also known as: OWASP Top 10:2025, OWASP 2025

Definition

The OWASP Top 10 is the consensus list of the ten most critical web application security risks, updated by the Open Worldwide Application Security Project. The 2025 edition (current as of 2026) includes Broken Access Control as A01, Cryptographic Failures as A02, and a new A10 for Mishandling of Exceptional Conditions.

What is the OWASP Top 10?

A consensus list maintained by OWASP, the Open Worldwide Application Security Project. The list ranks the ten most impactful and prevalent web app vulnerability categories based on data from hundreds of organizations. It is updated every three to four years; the 2025 edition replaced the 2021 one.

What changed in OWASP Top 10:2025?

SSRF moved into A01 Broken Access Control, Supply Chain Failures moved to #3 from a sub-category of A06, A10 Mishandling of Exceptional Conditions is new for 2025, and the wording of A09 changed from "Logging and Monitoring" to "Logging and Alerting" to emphasize operational signal over forensic-only logs.

How does the Top 10 map to a Next.js + Supabase app?

A01 (broken access control) maps to RLS-off tables and IDOR via userId-from-payload. A02 (cryptographic failures) maps to service_role in client bundle and trusting getSession. A05 (injection) maps to XSS, CSRF, and SQL injection via raw RPC EXECUTE. Each category has a known architectural fix at the SecureStartKit layer rather than a per-route patch.

Learn more

  • OWASP Top 10 for Next.js + Supabase Apps
  • SQL Injection in Supabase Queries

Related terms

  • XSSXSS (Cross-Site Scripting) is a vulnerability where attacker-controlled content reaches a page and executes as JavaScript in the victim's browser. React mitigates XSS by default through JSX escaping, but the raw-HTML escape-hatch prop, raw HTML in MDX, and trusted-data assumptions still create injection paths.
  • CSRFCSRF (Cross-Site Request Forgery) is an attack where a malicious site causes the victim's browser to send a request to a target site using the victim's existing session cookies. In Next.js App Router, Server Actions defend against CSRF by checking the Origin header against the Host on every POST.
  • IDORIDOR (Insecure Direct Object Reference) is a vulnerability class where an application uses a user-supplied identifier (such as a userId or recordId) to look up data without verifying the requester is authorized to access that specific object. IDOR is the most common Server Action bug in AI-generated Next.js code.
  • Backend-only data accessBackend-only data access is an architectural pattern where the database is never queried directly from the browser. All queries run through Server Actions or Route Handlers using the service_role key, after server-side authentication and Zod validation. The browser only receives data the server explicitly returns.
← Back to full glossary