Security capstone: threat-model and harden a web app

Take a small full-stack web app with login, session auth, a per-user resource API, and at least one OAuth/OIDC sign-in (your own, a deliberately-vulnerable starter like OWASP Juice Shop, or the scaffold below) and produce a threat model plus a hardened build that composes every security-track control — proving each fix with a concrete demonstration.

• Write a one-page threat model of a single sensitive request (e.g. GET /accounts/{id}/statements or a money transfer): list the trust boundaries it crosses, the controls at each (transport, authN, authZ, input, secrets, dependencies), and the seams between them. Map each risk to its OWASP Top 10 (2021) category.
• Authentication + OAuth/OIDC: wire 'Sign in with' via the authorization-code-with-PKCE flow; verify the access token server-side with a pinned algorithm allowlist (no alg:none, no RS256→HS256 confusion) and checked iss/aud/exp. Use the ID token only to establish identity, never to authorize API calls.
• Authorization: enforce object-level, deny-by-default access control — every resource endpoint checks owns(subject, object) on the actual record, and every privileged route checks role/permission server-side. Demonstrate an IDOR attempt being denied.
• Token handling + CSRF: store the session token in an HttpOnly + Secure + SameSite cookie (or document the localStorage XSS tradeoff if you keep it client-side), add a CSRF token or origin check, ensure no state change rides a GET, and add output encoding + a Content-Security-Policy to cut XSS at the source.
• Password storage: hash with Argon2id (or bcrypt cost 12+) and a per-user salt tuned to a few hundred ms; add rate limiting and lockout on login and password-reset so a strong hash isn't undone by an unthrottled endpoint.
• Secrets: remove every credential from the repo and config, load them from env/a secrets manager, and rotate anything that ever touched git history. Add secret-scanning to CI so a future leak is caught at push.
• Supply chain: enforce a lockfile with integrity hashes, scope/namespace internal packages and pin a single registry precedence (defend against dependency confusion), run a dependency audit, and generate an SBOM.

• The threat-model document maps each control to an OWASP category and explicitly names at least three seams between correct-looking layers (e.g. AuthN-without-AuthZ, HttpOnly-without-CSRF-token, strong-hash-without-rate-limit).
• A demo (script, test, or recording) shows the hardened app: a forged/unsigned JWT rejected, an IDOR attempt denied, a cross-site state-changing request blocked, and a login brute-force throttled — each with the before (vulnerable) behaviour next to the after.
• git log / a secret scan over history shows no live credentials remain in the repo, and the rotation of any previously-committed secret is documented.
• npm audit (or equivalent) plus a committed lockfile and generated SBOM are present; a written note explains how the registry precedence defends against dependency confusion.
• A one-page write-up names, for each layer, the control applied and the seam it closes — framed as the threat model, not a checklist.