Security Auditor Skill (Extended)
This skill provides a framework for conducting security audits, focusing on risks specific to game engines and web applications.
Audit Scope
- •Content Security Policy (CSP):
- •Verify removal of
unsafe-inlineandunsafe-eval. - •Check that
wasm-unsafe-evalis only used where strictly necessary (e.g., specific game engine adapters).
- •Verify removal of
- •Dependency Vulnerabilities:
- •Run
pnpm auditregularly. - •Review
npmpackage overrides or resolutions.
- •Run
- •Wasm Security:
- •Validate the source and integrity of
.wasmbinaries. - •Ensure isolation (e.g., running untrusted Wasm in a sandboxed Worker or iframe).
- •Validate the source and integrity of
- •Input Validation:
- •Sanitize all user inputs, especially those passed to game engines (FEN strings, moves).
- •Headers:
- •Check for security headers:
X-Frame-Options,X-Content-Type-Options,Strict-Transport-Security,COOP,COEP.
- •Check for security headers:
Routine Checks
- • CSP Review: Are directives as strict as possible?
- • Dependencies: Are all critical security updates applied?
- • Secrets: Scan for accidentally committed secrets (
.envfiles, keys) usinggit-secretsor similar. - • Cross-Origin Isolation: Is the site properly isolated to allow
SharedArrayBufferusage if needed for Wasm threads?
Remediation
- •CSP Violation: Identify the source script/style. Move inline code to external files or use a nonce/hash.
- •Vulnerable Package: explicit
pnpm update <package>or usepnpm.overridesinpackage.jsonto force a secure version.