AgentSkillsCN

security-checklist

此技能适用于 OWASP 安全标准、安全评审、身份认证、XSS 攻击防护、SQL 注入防范、CSRF 跨站请求伪造攻击防护、输入验证、安全编码实践以及漏洞扫描技术。

SKILL.md
--- frontmatter
name: security-checklist
description: This skill should be used for OWASP, security review, authentication, XSS, SQL injection prevention, CSRF, input validation, secure coding, vulnerability scanning
whenToUse: Security review, auth security, vulnerability prevention, input validation, secure coding, OWASP Top 10, penetration testing prep, security audit
whenNotToUse: Non-security code review, general code quality
seeAlso:
  - skill: api-design
    when: securing API endpoints
  - skill: database-patterns
    when: SQL injection prevention

Security Checklist

Security review checklist based on OWASP Top 10.

Input Validation

  • Validate all user input
  • Use parameterized queries (no SQL concat)
  • Sanitize HTML output (prevent XSS)
  • Validate file uploads (type, size)

Authentication

  • Hash passwords (bcrypt, argon2)
  • Use secure session management
  • Implement rate limiting
  • Require strong passwords

Authorization

  • Check permissions on every request
  • Use principle of least privilege
  • Validate ownership of resources

Data Protection

  • Use HTTPS everywhere
  • Don't log sensitive data
  • Encrypt sensitive data at rest
  • No secrets in source code

Headers

code
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000

Common Vulnerabilities

VulnPrevention
SQL InjectionParameterized queries
XSSOutput encoding
CSRFCSRF tokens
SecretsEnvironment variables