Security Sentinel (World-Class Security Skill)
When to Use
ALWAYS use this skill when:
- Writing/reviewing API routes (especially POST/PATCH/PUT/DELETE)
- Implementing authentication or authorization
- Handling user input (forms, query params, file uploads)
- Working with database queries
- Processing file operations
- Managing environment variables and secrets
- Building payment processing features
- Implementing session management
- Handling sensitive data or encryption
- Before creating pull requests
- Before deployment
Comprehensive Documentation
This skill includes complete security references:
📚 Core References (10,426 lines total)
-
owasp-top-10-complete.md (2,133 lines) - Complete OWASP Top 10 with code examples
- A01: Broken Access Control (IDOR, path traversal)
- A02: Cryptographic Failures (weak hashing, hardcoded secrets)
- A03: Injection (SQL, NoSQL, Command injection)
- A04: Insecure Design (race conditions, rate limiting)
- A05: Security Misconfiguration (CORS, error messages)
- A06: Vulnerable Components (dependency management)
- A07: Authentication Failures (weak passwords, MFA)
- A08: Integrity Failures (supply chain, deserialization)
- A09: Logging Failures (audit trails, monitoring)
- A10: SSRF (URL validation, IP blocking)
-
authentication-patterns.md (1,529 lines) - Complete authentication guide
- JWT token authentication
- Session-based authentication
- Password hashing (bcrypt, Argon2)
- Password reset flow
- Email verification
- Multi-factor authentication (TOTP)
- OAuth 2.0 (GitHub, Google)
- Passwordless authentication (magic links)
- Refresh token pattern
-
authorization-patterns.md (1,062 lines) - Access control implementation
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
- Middleware protection
- API route protection
- Server Action protection
- Row-level security (Drizzle patterns)
- Permission system
- Resource ownership validation
-
input-validation-complete.md (900 lines) - Zod validation for everything
- String, number, boolean, enum validation
- Email, URL, phone, UUID validation
- File upload validation (images, PDFs, CSVs)
- Password strength requirements
- Credit card validation (Luhn algorithm)
- IP address validation (v4, v6)
- Async validation (database checks)
- Error handling and display
-
sql-injection-prevention.md (741 lines) - Drizzle ORM security
- Parameterized queries (always safe)
- Dynamic query building
- Raw SQL safety patterns
- LIKE query sanitization
- Database schema security
- Testing for SQL injection
-
xss-prevention.md (630 lines) - React/Next.js XSS protection
- React's built-in escaping
- dangerouslySetInnerHTML with DOMPurify
- URL sanitization
- Content Security Policy (CSP)
- User-generated content handling
- innerHTML safety
-
csrf-prevention.md (597 lines) - Cross-Site Request Forgery protection
- SameSite cookies (primary defense)
- CSRF tokens implementation
- Double submit cookie pattern
- Server Actions protection
- Origin header validation
-
secret-management.md (547 lines) - Secure secret handling
- Environment variables best practices
- Secret rotation strategies
- Encryption at rest (AES-256-GCM)
- Secret detection (gitleaks, trufflehog)
- Production secrets (Vercel, AWS, Vault)
-
rate-limiting-patterns.md (826 lines) - Prevent API abuse
- In-memory rate limiting
- Redis-based rate limiting
- API route protection
- Server Action protection
- IP-based rate limiting
- User-based rate limiting
- Sliding window algorithm
- Token bucket algorithm
-
security-checklist.md (471 lines) - Pre-deployment audit (250+ items)
- Authentication security (passwords, sessions, JWT, MFA)
- Authorization security (access control, RLS)
- Input validation
- Data security (secrets, logging, database)
- File upload security
- Rate limiting
- Security headers (CSP, CORS, HSTS)
- Error handling
- Dependency security
- Monitoring and logging
- Infrastructure security
- Compliance (GDPR, PCI DSS)
🛠️ Security Tools
- validate-security.py (414 lines) - Automated vulnerability scanner
- Detects 20+ vulnerability types
- Scans for hardcoded secrets (API keys, passwords, tokens)
- Checks for SQL injection patterns
- Detects XSS vulnerabilities (dangerouslySetInnerHTML, innerHTML)
- Finds eval() and Function() usage
- Identifies weak cryptography (MD5, SHA1)
- Detects insecure randomness
- Checks for command injection
- Validates path traversal prevention
- Tests password hashing strength
- Audits JWT security
- Checks CORS configuration
- Validates cookie security (httpOnly, secure)
- Reports TypeScript issues (@ts-ignore, any)
- Exits with error on CRITICAL/HIGH issues
- Identifies XSS vulnerabilities
- Finds eval() and Function() usage
- Detects weak cryptography (MD5, SHA1)
- Checks for command injection
- Validates password hashing
- Finds CORS misconfigurations
- Checks for missing httpOnly cookies
- Reports TypeScript issues (@ts-ignore, any types)
🚀 Quick Start
Before implementing ANY security-sensitive feature:
# 1. Read the relevant guide
cat owasp-top-10-complete.md
cat authentication-patterns.md
# 2. Implement following patterns
# 3. Run security scanner
python validate-security.py src/
# 4. Check against security checklist
cat security-checklist.md
When to Use
OWASP Top 10 Security Checks
1. Injection Attacks
SQL Injection
// ❌ DON'T: String concatenation in queries
const query = `SELECT * FROM users WHERE email = '${email}'`
// Vulnerable to: email = "' OR '1'='1"
// ✅ DO: Use Prisma (parameterized queries)
const user = await prisma.user.findUnique({
where: { email },
})
Command Injection
// ❌ DON'T: Unvalidated shell commands
const fileName = req.body.fileName
exec(`cat ${fileName}`) // Vulnerable to: fileName = "; rm -rf /"
// ✅ DO: Validate input and use safe APIs
const allowedFiles = ['log.txt', 'data.csv']
if (!allowedFiles.includes(fileName)) {
throw new Error('Invalid file name')
}
const content = await fs.readFile(path.join(SAFE_DIR, fileName))
NoSQL Injection
// ❌ DON'T: Direct object insertion
const user = await db.users.findOne({ email: req.body.email })
// Vulnerable to: { email: { $ne: null } }
// ✅ DO: Validate input with Zod
const emailSchema = z.string().email()
const email = emailSchema.parse(req.body.email)
const user = await db.users.findOne({ email })
2. Broken Authentication
Password Storage
// ❌ DON'T: Plain text passwords
const user = await prisma.user.create({
data: {
email,
password, // Never store plain text!
},
})
// ✅ DO: Hash with bcrypt
import bcrypt from 'bcrypt'
const hashedPassword = await bcrypt.hash(password, 12) // 12 rounds minimum
const user = await prisma.user.create({
data: {
email,
password: hashedPassword,
},
})
Session Management
// ❌ DON'T: Weak session tokens
const sessionId = Math.random().toString()
// ✅ DO: Cryptographically secure tokens
import crypto from 'crypto'
const sessionId = crypto.randomBytes(32).toString('hex')
// ✅ DO: Set secure session cookie
res.setHeader('Set-Cookie', [
`session=${sessionToken}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`,
])
JWT Security
// ❌ DON'T: Weak secret
const token = jwt.sign(payload, 'secret123')
// ✅ DO: Strong secret from environment
const token = jwt.sign(payload, process.env.JWT_SECRET!, {
expiresIn: '1h',
algorithm: 'HS256',
})
// ✅ DO: Verify JWT properly
try {
const decoded = jwt.verify(token, process.env.JWT_SECRET!)
// Use decoded data
} catch (error) {
thr