Security Skill
Loaded by: RC-001, QA-006, and all agents during security tasks | Version: 1.0
OWASP Top 10 Checklist
- •Injection - Parameterized queries, input validation, output encoding
- •Broken Auth - Strong passwords, MFA, secure sessions
- •Sensitive Data - HTTPS, encryption at rest, PII handling
- •XXE - Disable XML external entities and DTD processing
- •Broken Access Control - RBAC, resource ownership, path traversal prevention
- •Security Misconfiguration - No defaults, no info leaks, minimal surface
- •XSS - Output encoding, CSP headers, sanitized DOM manipulation
- •Insecure Deserialization - Input validation, type checking
- •Vulnerable Components - Regular dependency audits, no known CVEs
- •Insufficient Logging - Security events logged (without sensitive data), alerting
Security Headers
code
Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=31536000; includeSubDomains Referrer-Policy: strict-origin-when-cross-origin
Absolute Rules
- •NEVER hardcode secrets, API keys, or passwords
- •NEVER trust client-side validation alone
- •NEVER log sensitive data (passwords, tokens, PII)
- •NEVER use eval() with user input
- •NEVER disable HTTPS in production