AgentSkillsCN

secure-coding

Node.js 与 Web 应用的安全最佳实践。当您需要审查代码中的漏洞,或实现敏感功能(认证、数据处理)时,可使用此技能。

SKILL.md
--- frontmatter
name: secure-coding
description: Security best practices for Node.js and web applications. Use when reviewing code for vulnerabilities or implementing sensitive features (auth, data handling).

Secure Coding Skill

When to use

  • When implementing Authentication/Authorization.
  • When handling user input (forms, query params).
  • When protecting sensitive data (PII, secrets).

Checklist / Guidelines

1. Injection Prevention

  • SQL Injection: Always use parameterized queries (bind variables) or ORM methods. Never concatenate strings into queries.
  • Command Injection: Avoid exec() with user input. Use spawn() or execFile().

2. Authentication & Secrets

  • Secrets: Never commit .env or secrets to git.
  • Passwords: Never store plain text. Use bcrypt or argon2.
  • JWT: Set expiration (exp). Sign with strong secrets. Validate aud and iss.

3. Data Validation

  • Input: Validate ALL input (params, body, headers) using schemas (Zod, JSON Schema).
  • Output: Sanitize output to prevent XSS (Cross-Site Scripting).

4. Headers (Helmet)

  • Ensure security headers are set:
    • Content-Security-Policy (CSP)
    • X-Content-Type-Options: nosniff
    • X-Frame-Options: DENY

5. Denial of Service (DoS)

  • Rate Limiting: Implement rate limits on public APIs.
  • Payload Size: Limit JSON body size (limit: '10kb').
  • Regex: Avoid catastrophic backtracking in Regex.

6. Logging

  • Sanitization: Strip tokens, passwords, and PII from logs before writing.