b2acc9b115
### New Content - Learning Paths section in README (Junior/Senior/Power User/PM tracks) - examples/ folder with 18 ready-to-use templates: - 4 agents (code-reviewer, test-writer, security-auditor, refactoring) - 2 skills (TDD workflow, security checklist) - 3 commands (commit, review-pr, generate-tests) - 4 hooks (bash + PowerShell for security, formatting) - 3 config templates (settings, MCP, gitignore) - 2 memory templates (project + personal CLAUDE.md) ### Governance - CHANGELOG.md: Version history (1.0.0 → 1.1.0 → Unreleased) - CONTRIBUTING.md: Contribution guidelines for community ### Documentation - llms.txt: Updated structure with new files/folders This update makes the guide more actionable with concrete templates and provides clear learning paths for different skill levels. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
3.4 KiB
3.4 KiB
| name | description |
|---|---|
| security-checklist | Comprehensive security checklist for web applications |
Security Checklist Skill
Quick Security Audit
Authentication
- Passwords hashed with bcrypt/argon2 (cost factor >= 10)
- Session tokens are cryptographically random
- JWT tokens have short expiry (15min access, 7d refresh)
- Rate limiting on login endpoints
- Account lockout after failed attempts
Authorization
- Every API endpoint checks permissions
- No IDOR (Insecure Direct Object References)
- Role-based access control implemented
- Sensitive operations require re-authentication
Input Validation
- All user input validated server-side
- File uploads restricted by type and size
- SQL queries use parameterized statements
- HTML output encoded to prevent XSS
Data Protection
- Sensitive data encrypted at rest
- HTTPS enforced everywhere
- Secure cookies (HttpOnly, Secure, SameSite)
- No sensitive data in URLs or logs
Headers & CORS
- Content-Security-Policy header set
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY (or SAMEORIGIN)
- Strict-Transport-Security enabled
- CORS properly restricted
Code Patterns
SQL Injection Prevention
// VULNERABLE
db.query(`SELECT * FROM users WHERE id = ${userId}`);
// SECURE
db.query('SELECT * FROM users WHERE id = $1', [userId]);
XSS Prevention
// VULNERABLE
element.innerHTML = userInput;
// SECURE
element.textContent = userInput;
// SECURE (with sanitization)
element.innerHTML = DOMPurify.sanitize(userInput);
CSRF Protection
// Generate token
const csrfToken = crypto.randomBytes(32).toString('hex');
session.csrfToken = csrfToken;
// Validate on POST
if (req.body.csrf !== session.csrfToken) {
throw new ForbiddenError('Invalid CSRF token');
}
Secrets Management
// NEVER in code
const API_KEY = 'sk-abc123...';
// Environment variables
const API_KEY = process.env.API_KEY;
// Secrets manager (production)
const secret = await secretsManager.getSecret('api-key');
Security Headers Example
// Express middleware
app.use((req, res, next) => {
res.setHeader('X-Content-Type-Options', 'nosniff');
res.setHeader('X-Frame-Options', 'DENY');
res.setHeader('X-XSS-Protection', '1; mode=block');
res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
res.setHeader('Content-Security-Policy', "default-src 'self'");
next();
});
Dependency Security
# Check for vulnerabilities
npm audit
# Auto-fix what's possible
npm audit fix
# Check outdated packages
npm outdated
# Update dependencies
npm update
Logging Security Events
// Events to log
logger.security({
event: 'login_failed',
ip: req.ip,
email: req.body.email,
reason: 'invalid_password',
timestamp: new Date().toISOString()
});
// Never log
// - Passwords
// - Full credit card numbers
// - Session tokens
// - Personal data (in production)
Pre-Deployment Checklist
- Run
npm audit- no critical vulnerabilities - All secrets in environment variables
- Debug mode disabled
- Error messages don't expose internals
- HTTPS only (HTTP redirects to HTTPS)
- Database credentials rotated
- Logging configured (no sensitive data)
- Backup strategy tested