Apply Security Patterns
Overview
Security is boundary discipline: authenticate, authorize, validate inputs, avoid data leakage, and make unsafe classes of bugs hard to write.
This is not a full security audit. If the change is high-risk (auth overhaul, multi-tenant isolation, crypto, payments, regulated data), escalate to a security review.
Workflow
- •Identify what changed (the attack surface):
- •inbound boundaries: HTTP/gRPC/GraphQL/WS handlers, webhooks
- •outbound boundaries: HTTP/gRPC/SDK clients, redirects, proxying, fetch-by-URL
- •state boundaries: DB queries, object storage, caches, queues
- •operational boundaries: logs/telemetry, admin endpoints, config/secrets
- •Classify data sensitivity:
- •credentials/secrets, session tokens, API keys
- •PII and regulated data
- •multi-tenant identifiers and access scopes
- •Apply baseline controls:
- •Authn: verify identity and token validity (issuer/audience/expiry).
- •Authz: check permissions per action (and per tenant/resource).
- •Input validation: treat external inputs as
unknown; decode/validate at the edge. - •Injection safety: parameterize queries; avoid string-built interpreters (SQL, shell, template injection).
- •Secrets safety: keep secrets out of logs, error messages, and client responses.
- •Harden outbound calls:
- •SSRF controls (allowlist hosts; block link-local/metadata IPs; disable redirect-follow where unsafe)
- •TLS verification and timeouts/cancellation (see
apply-resilience-patterns)
- •Verify:
- •add/extend consumer-visible tests for authz and validation (
consumer-test-coverage) - •run any available dependency scanning / linters in the target repo
- •sanity-check logs/metrics do not include sensitive fields (
apply-observability-patterns)
- •add/extend consumer-visible tests for authz and validation (
Checklist (High-Signal)
- •Authn: token validation, session/cookie settings, CSRF (if cookie-based), re-auth for sensitive actions.
- •Authz: resource/tenant checks at every entrypoint; no “UI-only” authorization.
- •Inputs: strict decoding; file uploads have size/type limits; URLs are parsed and validated.
- •DB: parameterized queries; least-privilege DB user; no leaking of existence via error detail (where relevant).
- •Secrets: never log credentials; rotate/expire tokens; store secrets in secret manager/env (not source).
- •Telemetry: logs redact/omit PII; metrics have bounded labels; traces avoid raw payloads.
- •Dependencies: pin and update; remove unused; verify integrity/lockfiles.
Guardrails
- •Don’t build your own crypto; use well-reviewed libraries and platform primitives.
- •Don’t weaken authz “temporarily”; if you must, add explicit expiry and a follow-up task.
- •Don’t log raw request bodies/headers by default; explicitly whitelist safe fields.
- •Don’t accept user-provided URLs for server-side fetch without SSRF controls.
References
- •Deeper checklist:
references/checklists.md - •Boundary resiliency:
apply-resilience-patterns - •Telemetry privacy:
apply-observability-patterns - •Consumer-visible verification:
consumer-test-coverage - •Shared auth/config primitives (when 2+ services need the same guardrails):
shared-platform-library
Output Template
When applying this skill, return:
- •What changed (attack surface) and what data is sensitive.
- •The controls applied (authn/authz/validation/injection/SSRF/logging).
- •Verification steps (tests + local checks) and any follow-ups needing a dedicated security review.