AgentSkillsCN

web-security-hardening

面向 Web 应用的安全审计 checklist。在审查、审计或强化 Web 应用的安全态势时使用。涵盖速率限制、认证头、IP 封禁、CORS、安全中间件、输入校验、文件上传限制、ORM 使用以及密码哈希等环节。适用于“审查安全性”、“加固此应用”、“安全审计”、“排查漏洞”等需求,或在构建/审查 API 端点时使用。

SKILL.md
--- frontmatter
name: web-security-hardening
description: Security audit checklist for web applications. Use when reviewing, auditing, or hardening a web app's security posture. Covers rate limiting, auth headers, IP blocking, CORS, security middleware, input validation, file upload limits, ORM usage, and password hashing. Triggers on requests like "review security", "harden this app", "security audit", "check for vulnerabilities", or when building/reviewing API endpoints.

Web Security Hardening

Security audit checklist for web applications. Run through each item when reviewing or building web apps.

Audit Workflow

  1. Identify the framework (Node.js/Express, Python/Django/Flask, etc.)
  2. Review each checklist item below
  3. For implementation details, see framework-specific references:
  4. For production deployments, see references/production-gcp.md for extended checklist covering:
    • GCP infrastructure (IAM, networking, secrets)
    • CI/CD pipeline security
    • Monitoring & incident response
  5. Report findings with severity and remediation steps

Security Checklist

1. Rate Limiting

Risk: DoS attacks, brute force attempts, API abuse

Check for:

  • Per-endpoint rate limits (stricter on auth endpoints)
  • Rate limit headers in responses (X-RateLimit-*)
  • Appropriate limits for different user tiers

2. Security & Authorization Headers

Risk: XSS, clickjacking, MIME sniffing, info leakage

Required headers:

  • Strict-Transport-Security (HSTS)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY or SAMEORIGIN
  • Content-Security-Policy
  • Authorization header validation on protected routes

3. IP Block List (Public APIs)

Risk: Abuse from known bad actors, bot traffic

Check for:

  • IP-based blocking mechanism
  • Integration with threat intelligence feeds (optional)
  • Logging of blocked requests

4. CORS Configuration

Risk: Unauthorized cross-origin requests, data theft

Check for:

  • Explicit origin whitelist (not * in production)
  • Appropriate methods and headers allowed
  • Credentials handling if needed

5. Security Middleware

Risk: Common web vulnerabilities

Check for framework-appropriate middleware:

  • Node.js: helmet
  • Python: django-secure, flask-talisman
  • Sets multiple security headers automatically

6. Input Validation

Risk: Injection attacks, data corruption, XSS

Check for:

  • Frontend validation (UX, not security)
  • Backend validation (required for security)
  • Schema validation libraries (Zod, Joi, Pydantic, etc.)
  • Sanitization of user input before storage/display

7. File Upload Limits

Risk: Storage exhaustion, malicious file uploads

Check for:

  • Max file size limits
  • Allowed file type restrictions (MIME + extension)
  • File content validation (magic bytes)
  • Secure storage location (outside webroot)

8. ORM for Database Access

Risk: SQL injection

Check for:

  • Parameterized queries (never string concatenation)
  • ORM usage (Prisma, Sequelize, SQLAlchemy, Django ORM)
  • If raw SQL needed: prepared statements only

9. Password Hashing

Risk: Credential theft, rainbow table attacks

Check for:

  • Strong algorithm: bcrypt, Argon2, or scrypt
  • Appropriate cost factor (bcrypt rounds ≥10)
  • No MD5, SHA1, or plain SHA256 for passwords
  • No plaintext password storage or logging

Audit Report Format

markdown
## Security Audit: [App Name]

### Summary
- **Items Passing**: X/9
- **Critical Issues**: X
- **Recommendations**: X

### Findings

#### [Item Name] - [PASS/FAIL/PARTIAL]
**Severity**: Critical/High/Medium/Low
**Finding**: [Description]
**Location**: [File/endpoint]
**Remediation**: [Steps to fix]