Secure Coding Skill
When to use
- •When implementing Authentication/Authorization.
- •When handling user input (forms, query params).
- •When protecting sensitive data (PII, secrets).
Checklist / Guidelines
1. Injection Prevention
- •SQL Injection: Always use parameterized queries (bind variables) or ORM methods. Never concatenate strings into queries.
- •Command Injection: Avoid
exec()with user input. Usespawn()orexecFile().
2. Authentication & Secrets
- •Secrets: Never commit
.envor secrets to git. - •Passwords: Never store plain text. Use
bcryptorargon2. - •JWT: Set expiration (
exp). Sign with strong secrets. Validateaudandiss.
3. Data Validation
- •Input: Validate ALL input (params, body, headers) using schemas (Zod, JSON Schema).
- •Output: Sanitize output to prevent XSS (Cross-Site Scripting).
4. Headers (Helmet)
- •Ensure security headers are set:
- •
Content-Security-Policy(CSP) - •
X-Content-Type-Options: nosniff - •
X-Frame-Options: DENY
- •
5. Denial of Service (DoS)
- •Rate Limiting: Implement rate limits on public APIs.
- •Payload Size: Limit JSON body size (
limit: '10kb'). - •Regex: Avoid catastrophic backtracking in Regex.
6. Logging
- •Sanitization: Strip tokens, passwords, and PII from logs before writing.