Security Practices Skill
Purpose
Security guidelines for building secure applications across all layers.
Auto-Invoke Triggers
- •Implementing authentication/authorization
- •Handling user input
- •Working with sensitive data
- •Configuring CORS
- •Managing secrets
OWASP Top 10 Prevention
| Risk | Prevention |
|---|---|
| Injection | Parameterized queries, input validation |
| Broken Auth | Strong passwords, MFA, secure sessions |
| Sensitive Data | Encryption, minimal exposure |
| XXE | Disable external entities |
| Broken Access | RBAC, default deny |
| Misconfig | Secure defaults, disable debug |
| XSS | Output encoding, CSP |
| Insecure Deserialization | Validate before deserialize |
| Vulnerable Components | Update dependencies regularly |
| Insufficient Logging | Log security events |
Input Validation Rules
| Data Type | Validation Requirements |
|---|---|
| Regex pattern, max 255 chars | |
| Username | Alphanumeric + underscore, 3-50 chars |
| Password | Min 8 chars, upper, lower, number, special |
| Phone | Regex for format |
| URL | Protocol whitelist (https) |
| File upload | Extension whitelist, MIME check, size limit |
| IDs | UUID format or positive integer |
| Free text | Max length, HTML sanitization |
Validation Principles
- •Validate on server side (never trust client)
- •Whitelist over blacklist
- •Validate early, fail fast
- •Return specific error messages
SQL Injection Prevention
Rules
- •ALWAYS use parameterized queries or ORM
- •NEVER concatenate user input into SQL
- •Use stored procedures where appropriate
- •Limit database user permissions
Example Pattern
code
# BAD: query = f"SELECT * FROM users WHERE id = {user_id}"
# GOOD: Use ORM or parameterized query with placeholder
XSS Prevention
Rules
- •Use framework's default escaping (React, Angular)
- •Avoid
dangerouslySetInnerHTML/innerHTML - •Sanitize HTML if dynamic content required
- •Implement Content Security Policy (CSP)
CSP Headers
- •
default-src 'self' - •
script-src 'self'(avoid 'unsafe-inline') - •
style-src 'self' 'unsafe-inline' - •
img-src 'self' data: https:
Authentication Standards
Password Requirements
- •Minimum 8 characters
- •Must contain: uppercase, lowercase, number, special char
- •Hash with bcrypt (cost 12+) or Argon2
- •Never store plain text
JWT Token Rules
- •Access token: 15 minutes expiry
- •Refresh token: 7 days expiry
- •Store in HttpOnly cookies (not localStorage)
- •Include
iat,exp,subclaims - •Sign with HS256 or RS256
Session Security
- •Regenerate session ID after login
- •Set secure, HttpOnly, SameSite cookie flags
- •Implement session timeout
- •Invalidate on logout
Authorization Patterns
RBAC (Role-Based Access Control)
- •Define roles: Admin, Editor, Viewer
- •Map permissions to roles
- •Check permissions on every request
- •Default deny, explicit allow
Resource Authorization
- •Verify resource ownership
- •Check user can access specific resource
- •Don't rely on obscurity (hidden URLs)
Secret Management
Rules
- •NEVER commit secrets to git
- •Use environment variables
- •Use secret managers in production (Vault, AWS Secrets)
- •Rotate secrets regularly
- •Different secrets per environment
.gitignore Must Include
code
.env .env.* *.pem *.key credentials.json secrets.json
CORS Configuration
Rules
- •NEVER use
*origin in production - •Whitelist specific origins
- •Limit allowed methods
- •Limit allowed headers
- •Set appropriate max-age
Production Settings
- •
Access-Control-Allow-Origin: specific domains only - •
Access-Control-Allow-Credentials: true if needed - •
Access-Control-Allow-Methods: only needed methods - •
Access-Control-Max-Age: 600 (10 minutes)
Rate Limiting
Default Limits
| Endpoint Type | Limit |
|---|---|
| Login | 5/minute |
| Password reset | 3/hour |
| API general | 100/minute |
| File upload | 10/minute |
Headers to Return
- •
X-RateLimit-Limit - •
X-RateLimit-Remaining - •
X-RateLimit-Reset - •
Retry-After(on 429)
Security Headers
| Header | Value |
|---|---|
| X-Content-Type-Options | nosniff |
| X-Frame-Options | DENY |
| X-XSS-Protection | 1; mode=block |
| Referrer-Policy | strict-origin-when-cross-origin |
| Strict-Transport-Security | max-age=31536000; includeSubDomains |
| Content-Security-Policy | default-src 'self' |
File Upload Security
Validation Steps
- •Check file extension (whitelist)
- •Verify MIME type (magic bytes, not header)
- •Enforce size limit
- •Generate new filename (UUID)
- •Store outside web root
- •Scan for malware if possible
Allowed Extensions Example
- •Images: .jpg, .jpeg, .png, .gif, .webp
- •Documents: .pdf, .doc, .docx
- •Max size: 10MB typical
Security Checklist
Authentication
- • Passwords hashed with bcrypt/argon2
- • JWT tokens have short expiry
- • Refresh tokens in HttpOnly cookies
- • Failed logins rate-limited
- • Password reset tokens one-time use
Authorization
- • All endpoints have explicit authorization
- • Default deny policy
- • Resource ownership verified
- • Admin functions extra protected
Input
- • All input validated server-side
- • File uploads validated (extension, MIME, size)
- • SQL uses parameterized queries
- • URLs validated before redirect
Data
- • Sensitive data encrypted at rest
- • HTTPS enforced
- • Secrets not in code/git
- • PII minimized
Headers
- • Security headers configured
- • CORS restricted
- • Error messages don't leak internals
- • Debug mode disabled in production