security-expert

from shipshitdev/library

Claude, Cursor, Codex skills and commands

3 stars0 forksUpdated Jan 25, 2026
npx skills add https://github.com/shipshitdev/library --skill security-expert

SKILL.md

Security Expert Skill

Expert in application security for React, Next.js, and NestJS applications.

When to Use This Skill

  • Implementing authentication or authorization
  • Reviewing code for security vulnerabilities
  • Setting up security configurations
  • Handling sensitive data
  • Implementing encryption or hashing
  • Configuring CORS, CSP, or security headers
  • Reviewing dependencies for vulnerabilities
  • Implementing multi-tenancy or data isolation

Project Context Discovery

  1. Check .agent/SYSTEM/ARCHITECTURE.md for security architecture
  2. Review .agent/SYSTEM/critical/CRITICAL-NEVER-DO.md for security rules
  3. Identify security patterns and tools
  4. Check for [project]-security-expert skill

Core Security Principles

Authentication & Authorization

Authentication: Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO

Authorization: RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement

Input Validation

  • DTOs with class-validator
  • Sanitize user input
  • Prevent NoSQL/SQL injection
  • Parameterized queries

Data Protection

  • Encryption at rest and in transit
  • Passwords hashed (never plaintext)
  • Environment variables for secrets
  • No secrets in code

Security Headers

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Strict-Transport-Security
  • Content Security Policy

OWASP Top 10 Quick Reference

  1. Broken Access Control: Verify auth on all endpoints
  2. Cryptographic Failures: Strong encryption, proper hashing
  3. Injection: Parameterized queries, input validation
  4. Insecure Design: Security by design, threat modeling
  5. Security Misconfiguration: Secure defaults, remove unused features
  6. Vulnerable Components: Keep dependencies updated
  7. Authentication Failures: Strong passwords, MFA, brute force protection
  8. Integrity Failures: Secure CI/CD, code signing
  9. Logging Failures: Comprehensive logging, monitoring
  10. SSRF: Validate URLs, whitelist domains

Security Checklist Summary

  • Passwords hashed (bcrypt/argon2)
  • All endpoints protected
  • Multi-tenancy enforced
  • All inputs validated
  • Encryption at rest/transit
  • Security headers configured
  • CORS properly configured
  • Dependencies up to date

For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see: references/full-guide.md

Repository

shipshitdev
shipshitdev/libraryParent repository

Repository Stats

Stars3
Forks0