OWASP Top 10 for AI Apps [2026 Security Cheat Sheet]

As of May 05, 2026, the secure baseline for AI-driven web apps is no longer one list. Builders need OWASP Top 10:2025 for web risk, OWASP Top 10 for LLM Applications 2025 for model-specific failures, and OWASP Top 10 for Agentic Applications 2026 when software can take action. This cheat sheet maps the overlap, gives copy-paste defaults, and keeps the focus on the controls teams actually ship.

• OWASP Top 10:2025 is the current web-app baseline and moves Security Misconfiguration to A02.
• Prompt Injection, Insecure Output Handling, and Excessive Agency are now routine design concerns for AI features.
• Most expensive incidents start with an ordinary flaw: weak auth, bad logging, over-broad CORS, or a poisoned dependency.
• The fastest improvement path is simple: least privilege, pinned supply chain, masked logs, strict egress, and human approval gates.

OWASP Map for AI Apps

For most teams, the right model is: start with the web list, then add AI overlays only where your application introduces model context, autonomous action, or multi-system orchestration.

Where The AI-Specific Lists Matter

• OWASP LLM Top 10:2025 matters when user input, retrieved content, or third-party output can influence model behavior.
• OWASP Agentic Applications 2026 matters when software can plan, select tools, or trigger external side effects.
• From the 2026 agentic guidance, the themes to watch first are goal hijack, tool misuse, identity and privilege abuse, agentic supply chain vulnerabilities, and unexpected code execution.

Live Search JS Filter

A cheat sheet page becomes much more usable when developers can filter risks and commands by keyword. The pattern below keeps the implementation small, fast, and framework-agnostic.

Markup Pattern

<aside class='toc-card sticky'>
  <nav aria-label='Table of contents'>
    <a href='#owasp-map'>OWASP Map</a>
    <a href='#commands-by-purpose'>Commands</a>
    <a href='#configuration-baseline'>Configuration</a>
  </nav>
</aside>

<label for='cheat-filter'>Filter the cheat sheet</label>
<input id='cheat-filter' type='search' placeholder='Try: prompt injection, csp, auth' />

<section id='cheat-grid'>
  <article class='risk-card' data-tags='a01 access control tenant auth tools'>...</article>
  <article class='risk-card' data-tags='llm01 prompt injection retrieval output'>...</article>
  <article class='risk-card' data-tags='a02 csp cors headers configuration'>...</article>
</section>

Behavior

const filter = document.querySelector('#cheat-filter');
const cards = [...document.querySelectorAll('.risk-card')];

function applyFilter(query) {
  const q = query.toLowerCase().trim();
  cards.forEach((card) => {
    const haystack = `${card.textContent} ${card.dataset.tags}`.toLowerCase();
    card.hidden = q !== '' && !haystack.includes(q);
  });
}

filter.addEventListener('input', (event) => {
  applyFilter(event.target.value);
});

document.addEventListener('keydown', (event) => {
  if (event.key === '/' && document.activeElement !== filter) {
    event.preventDefault();
    filter.focus();
  }

  if (event.key === 'Escape' && document.activeElement === filter) {
    filter.value = '';
    applyFilter('');
    filter.blur();
  }
});

Sticky ToC CSS

.toc-card.sticky {
  position: sticky;
  top: 6rem;
}

#cheat-grid {
  display: grid;
  gap: 1rem;
  grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
}

• Use data-tags so you can match on synonyms like auth, tenant, and session without polluting visible copy.
• Do not hide the search behind a modal. Slash-to-focus works best when the input is already visible.
• Keep the filter local in the browser. No network request is needed for a cheat sheet of this size.

Keyboard Shortcuts

Keyboard shortcuts are cheap UX leverage for reference content. They matter even more when the page is used during incident response or review meetings.

const sections = [...document.querySelectorAll('h2[id]')];
let shortcutBuffer = '';

function jumpSection(direction) {
  const y = window.scrollY + 8;
  const current = sections.findIndex((section) => section.offsetTop >= y);
  const nextIndex = direction === 'next'
    ? Math.min((current < 0 ? 0 : current + 1), sections.length - 1)
    : Math.max((current <= 0 ? 0 : current - 1), 0);
  sections[nextIndex]?.scrollIntoView({ behavior: 'smooth', block: 'start' });
}

document.addEventListener('keydown', (event) => {
  if (['INPUT', 'TEXTAREA'].includes(document.activeElement?.tagName)) return;

  if (event.key === 'j') jumpSection('next');
  if (event.key === 'k') jumpSection('prev');
  if (event.key === '?') document.querySelector('#shortcut-help')?.showModal();

  shortcutBuffer = `${shortcutBuffer}${event.key}`.slice(-2);
  if (shortcutBuffer === 'gh') window.scrollTo({ top: 0, behavior: 'smooth' });
});

Commands by Purpose

These are the highest-signal commands for a modern AI app pipeline: dependency audit, package integrity, image scanning, and runtime header checks. Keep them grouped by job so engineers can find the right check quickly.

Dependency Audit And Package Integrity

• Use npm audit for Node package vulnerability checks.
• Use npm audit signatures when your registry supports signatures.
• Use pip-audit for Python dependency review, especially model-serving and eval stacks.

npm audit
npm audit signatures
npm audit fix --package-lock-only
pip-audit -r requirements.txt

Containers And Deployables

• Scan the final image, not just the source repository.
• Filter to HIGH and CRITICAL first if you need a fast CI gate.

trivy image --severity HIGH,CRITICAL ghcr.io/acme/agent-api:prod

Headers, CORS, And Runtime Checks

• Check response headers from the public edge, not only from local dev.
• Probe CORS explicitly with a hostile origin value.
• Run the same checks against chat, retrieval, and tool-execution endpoints.

curl -I https://app.example.com
curl -I -H 'Origin: https://evil.example' https://app.example.com/api/chat
curl -I -H 'Origin: https://evil.example' https://app.example.com/api/agent/execute

What To Flag Immediately

• Any endpoint that reflects Access-Control-Allow-Origin: * with credentials-enabled flows.
• Any tool runner that accepts arbitrary URLs, shell fragments, SQL, or template strings.
• Any service using shared long-lived API keys across tenants or environments.

Configuration Baseline

If you only have time for one pass, start here. A02:2025 Security Misconfiguration is where many AI features fail because teams add models and agents on top of weak web defaults.

HTTP And Browser Controls

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-$request_id'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; connect-src 'self' https://api.openai.com" always;
add_header Referrer-Policy 'strict-origin-when-cross-origin' always;
add_header X-Content-Type-Options 'nosniff' always;
add_header Permissions-Policy 'camera=(), microphone=(), geolocation=()' always;
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

• Set a narrow connect-src so browser-based AI features cannot call arbitrary hosts.
• Use nonces for first-party scripts instead of reopening the page with broad inline allowances.
• Apply the same header baseline to admin and internal tooling, not just public pages.

API Gateway And Agent Boundaries

routes:
  - path: /api/agent/execute
    auth: required
    rate_limit: 10r/s
    max_body_size: 256k
    allowed_tools:
      - search_docs
      - summarize_ticket
    approval_required_for:
      - send_email
      - purchase_asset
      - deploy_release
      - delete_record
    egress_allowlist:
      - api.openai.com
      - internal-search.service

• Define allowed tools at the gateway or orchestrator layer, not only in prompt text.
• Use separate identities for retrieval, chat, and action-taking services.
• Before storing traces, scrub them with a workflow like TechBytes' Data Masking Tool so tokens, emails, and customer IDs do not end up in logs or eval corpora.

Advanced Usage

Once the basics are in place, the next gains come from making model and agent boundaries explicit in policy, logging, and recovery design.

Approval Tiers For Tool Use

policy:
  read_only_tools:
    - search_docs
    - fetch_ticket
    - summarize_repo
  guarded_tools:
    - create_pull_request
    - send_email
    - write_crm_note
  destructive_tools:
    - delete_record
    - rotate_secret
    - deploy_release

rules:
  - if: tool in read_only_tools
    action: allow
  - if: tool in guarded_tools
    action: require_user_confirmation
  - if: tool in destructive_tools
    action: require_human_approval_and_ticket

• This directly reduces damage from Excessive Agency and the 2026 agentic risks around tool misuse and identity abuse.
• Store the policy outside the prompt so the model cannot rewrite its own authority boundary.
• Log the decision path: requested tool, matched rule, acting identity, approval source, and final result.

Retrieval And Context Hygiene

• Sanitize retrieved HTML, markdown, PDFs, and help-center content before it reaches the model.
• Label every context chunk with source, tenant, and trust level so authorization survives retrieval.
• Strip secrets, signed URLs, cookies, and internal-only notes before indexing.
• Pin embeddings, rerankers, and parsers like any other supply-chain component.

Failure Design

• Cap retries and recursive tool calls so an exception cannot become a cost-amplification loop.
• Fail closed on missing auth context, missing policy, or unknown tool names.
• Return safe partial responses instead of full stack traces, prompt text, or internal chain-of-thought artifacts.