Security vulnerabilities in production code are expensive to fix late. Running a thorough security audit manually takes days. Here's the exact workflow I use with Claude Code to audit a codebase systematically — and why I stopped hitting rate limits mid-audit.
The problem with security audits
A real security audit isn't a single scan. It involves:
- Reading every authentication flow
- Tracing user input through to database queries
- Checking dependency versions against CVE databases
- Reviewing session management
- Auditing API endpoint authorization
For a medium-sized codebase (50k+ lines), this is easily a 4-6 hour Claude Code session. And if you're on the official Claude API with token rate limits, you'll hit a wall right in the middle of tracing a complex auth flow.
My audit workflow
Phase 1: Reconnaissance
First, I build a security-focused map of the codebase:
Audit the authentication and authorization system in this codebase:
1. List every route that requires authentication
2. Show me how session tokens are generated, stored, and validated
3. Identify any routes missing auth middleware
4. Show me where user input is used in database queries
This gives me a clear threat model before I start probing.
Phase 2: Input validation audit
For each of these endpoints, trace the user input path:
- Does input get sanitized before DB queries?
- Are there any raw string interpolations in SQL?
- What happens with unexpected data types?
- Are file upload paths validated?
SQL injection and XSS still account for the majority of real-world breaches. This phase is non-negotiable.
Phase 3: Authentication deep dive
Review the authentication implementation:
1. How are passwords hashed? (bcrypt? argon2? MD5? 😱)
2. Are JWT secrets properly rotated?
3. Is there rate limiting on login endpoints?
4. Can users enumerate valid email addresses via error messages?
5. Is the password reset flow secure?
I've found more critical vulnerabilities here than anywhere else. Password reset flows are notoriously broken.
Phase 4: Dependency audit
Review package.json and identify:
1. Packages with known CVEs in the installed version
2. Packages that haven't been updated in 2+ years
3. Dev dependencies accidentally included in production
4. Any packages with suspicious network access patterns
Phase 5: Generate the report
Generate a security audit report with:
- Executive summary (what's critical vs. low priority)
- Each finding with: severity, description, proof of concept, remediation steps
- Recommended fixes in priority order
This report format is what actually gets issues fixed — severity + proof of concept + fix in one place.
Why this hits rate limits
A full security audit involves:
- Reading the entire routes directory
- Tracing input through multiple middleware layers
- Cross-referencing dozens of files
- Generating a detailed report
On the official Claude API, I was hitting token limits during Phase 3 — right when I was tracing complex auth flows. Stopping mid-audit means losing context, re-reading files, and missing connections between components.
I switched to SimplyLouie ($2/month) specifically because security audits are one of the longest possible Claude Code sessions. The audit needs to be continuous — losing context halfway through means missing the very connections that reveal vulnerabilities.
Real findings from this workflow
Using this audit workflow, I've found:
- A password reset endpoint that didn't expire tokens (critical)
- An admin route missing auth middleware (critical)
- bcrypt rounds set to 1 instead of 12 (high)
- JWT secrets hardcoded in config files committed to git (critical)
- User IDs in URLs that could be incremented to access other users' data (high)
None of these were obvious from a quick look. They required tracing through the full request lifecycle.
The rate limit moment
Here's when rate limits hurt most: you've just traced a suspicious input path through 4 files and you're about to ask Claude to confirm whether it's actually exploitable. That's the moment that matters. You cannot pick this up again in a new session — the context is gone.
For audit work especially, continuous sessions are worth paying for. At $2/month vs. $20/month, it's not even a real decision.
Start with this prompt
I'm running a security audit. Start with reconnaissance:
1. Map every route and its auth requirements
2. Find all places where user input touches the database
3. Show me the session/token management implementation
Be thorough — I'd rather you read too many files than miss a security boundary.
Security audits are one of the few tasks where an AI running out of context mid-task isn't just annoying — it's a real security risk. The vulnerability you miss because your session reset is the one that gets exploited.
If you want to run full security audits without worrying about token limits, SimplyLouie is $2/month. Start with the free 7-day trial.
Top comments (0)