Security Anti-Patterns Guard for Node.js/TypeScript/Next.js
When to Activate
Activate this skill when generating ANY code involving:
- Node.js backend code
- TypeScript applications
- Next.js (App Router or Pages Router)
- Express/Fastify APIs
- Database queries (Prisma, Drizzle, raw SQL, MongoDB)
- Authentication/authorization logic
- File uploads or user input handling
- API endpoints or Server Actions
Critical Rules (Top 10)
- NEVER use string concatenation for SQL/NoSQL queries - use parameterized queries or ORM methods
- NEVER use
dangerouslySetInnerHTMLwith user input without DOMPurify sanitization - ALWAYS verify resource ownership (BOLA) -
where: { id, userId: session.user.id } - ALWAYS validate ALL external input with zod/yup at API boundaries
- NEVER hardcode secrets - use
process.env(notNEXT_PUBLIC_*for secrets) - ALWAYS use
crypto.randomBytes()orcrypto.randomUUID()- neverMath.random()for security - NEVER trust middleware alone for auth - verify in route handlers (defense in depth)
- ALWAYS hash passwords with bcrypt/argon2 - never MD5/SHA1/unsalted
- NEVER use
exec()with user input - useexecFile()with argument arrays - ALWAYS validate file uploads: extension, MIME type, size limits
Module Index
Reference these modules for specific vulnerability patterns:
| Module | Covers | OWASP Reference |
|---|---|---|
| injection.md | SQL, Command, NoSQL, Template, LDAP injection | A03:2021 |
| xss-output.md | XSS (Reflected, Stored, DOM), output encoding | A03:2021 |
| auth-access.md | BOLA, BFLA, auth, sessions, JWT | API1-3, API5 |
| crypto-secrets.md | Secrets management, encryption, hashing | A02:2021 |
| input-validation.md | Validation, mass assignment, path traversal, uploads | A03:2021, API3 |
| prototype-pollution.md | JS prototype pollution attacks | CWE-1321 |
| typescript-safety.md | Type safety gaps, runtime validation | CWE-843 |
| nextjs-security.md | Middleware bypass, Server Actions, SSRF | CVE-2025-29927, CVE-2025-66478 |
| rsc-security.md | RSC deserialization (React2Shell), DoS, Server Action abuse | CVE-2025-55182, CVE-2025-55184 |
| api-infra.md | Rate limiting, CORS, headers, error handling | API4, API6-7 |
| dependencies.md | Supply chain, slopsquatting, NPM malware, PhantomRaven | A06:2021, CWE-506 |
| nodejs-runtime.md | ReDoS, async hooks exhaustion, HTTP/2 DoS, child processes | CWE-1333, CVE-2025-59466 |
How to Use This Skill
When generating code:
- Identify applicable modules based on what you're writing
- Reference the specific module for detailed BAD/GOOD patterns
- Apply the GOOD pattern - never generate code matching BAD patterns
- Verify the output against the Critical Rules above
Quick Reference by Task
| Writing... | Reference |
|---|---|
| Database queries | references/injection.md, references/input-validation.md |
| API route/endpoint | references/auth-access.md, references/api-infra.md, references/input-validation.md |
| User authentication | references/auth-access.md, references/crypto-secrets.md |
| Form handling | references/input-validation.md, references/xss-output.md |
| File operations | references/input-validation.md, references/nodejs-runtime.md |
| Next.js Server Actions | references/nextjs-security.md, references/rsc-security.md, references/auth-access.md |
| React Server Components | references/rsc-security.md, references/nextjs-security.md |
| Third-party package usage | references/dependencies.md |
| Rendering user content | references/xss-output.md |
| Environment/config | references/crypto-secrets.md |
| Child processes | references/nodejs-runtime.md, references/injection.md |
Response Format
When this skill is active, ensure generated code:
- Includes necessary imports (zod, bcrypt, etc.)
- Shows the secure pattern being used
- Includes brief comments explaining security measure if non-obvious
- Does NOT include insecure alternatives "for reference"