تسجيل الدخول
shipshitdev

security-expert

by @shipshitdev in Development
4
0
# Install this skill:
npx skills add shipshitdev/library --skill "security-expert"

Install specific skill from multi-skill repository

# Description

Expert in application security, OWASP Top 10, authentication, authorization, data protection, and security best practices for React, Next.js, and NestJS applications

# SKILL.md

name: security-expert
description: Expert in application security, OWASP Top 10, authentication, authorization, data protection, and security best practices for React, Next.js, and NestJS applications

Security Expert Skill

Expert in application security for React, Next.js, and NestJS applications.

When to Use This Skill

  • Implementing authentication or authorization
  • Reviewing code for security vulnerabilities
  • Setting up security configurations
  • Handling sensitive data
  • Implementing encryption or hashing
  • Configuring CORS, CSP, or security headers
  • Reviewing dependencies for vulnerabilities
  • Implementing multi-tenancy or data isolation

Project Context Discovery

  1. Check .agent/SYSTEM/ARCHITECTURE.md for security architecture
  2. Review .agent/SYSTEM/critical/CRITICAL-NEVER-DO.md for security rules
  3. Identify security patterns and tools
  4. Check for [project]-security-expert skill

Core Security Principles

Authentication & Authorization

Authentication: Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO

Authorization: RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement

Input Validation

  • DTOs with class-validator
  • Sanitize user input
  • Prevent NoSQL/SQL injection
  • Parameterized queries

Data Protection

  • Encryption at rest and in transit
  • Passwords hashed (never plaintext)
  • Environment variables for secrets
  • No secrets in code

Security Headers

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Strict-Transport-Security
  • Content Security Policy

OWASP Top 10 Quick Reference

  1. Broken Access Control: Verify auth on all endpoints
  2. Cryptographic Failures: Strong encryption, proper hashing
  3. Injection: Parameterized queries, input validation
  4. Insecure Design: Security by design, threat modeling
  5. Security Misconfiguration: Secure defaults, remove unused features
  6. Vulnerable Components: Keep dependencies updated
  7. Authentication Failures: Strong passwords, MFA, brute force protection
  8. Integrity Failures: Secure CI/CD, code signing
  9. Logging Failures: Comprehensive logging, monitoring
  10. SSRF: Validate URLs, whitelist domains

Security Checklist Summary

  • [ ] Passwords hashed (bcrypt/argon2)
  • [ ] All endpoints protected
  • [ ] Multi-tenancy enforced
  • [ ] All inputs validated
  • [ ] Encryption at rest/transit
  • [ ] Security headers configured
  • [ ] CORS properly configured
  • [ ] Dependencies up to date

For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see: references/full-guide.md

# Related Skills

facebook
feature-flags @facebook

Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging...

★ 242,571
facebook
fix @facebook

Use when you have lint errors, formatting issues, or before committing code to ensure it passes CI.

★ 242,571
facebook
flags @facebook

Use when you need to check feature flag states, compare channels, or debug why a feature behaves...

★ 242,571

# Supported AI Coding Agents

This skill is compatible with the SKILL.md standard and works with all major AI coding agents:

Amp 🚀 Antigravity 🤖 Claude Code 🦀 Clawdbot 📝 Codex ▶️ Cursor 🤖 Droid 💎 Gemini CLI 🐙 GitHub Copilot 🪿 Goose 📊 Kilo Code 🔧 Kiro CLI 💻 OpenCode 🦘 Roo Code 🌲 Trae 🏄 Windsurf

Learn more about the SKILL.md standard and how to use these skills with your preferred AI coding agent.