AgentSkillsCN

Security Practices

安全实践

SKILL.md

Security Practices Skill

Purpose

Security guidelines for building secure applications across all layers.

Auto-Invoke Triggers

  • Implementing authentication/authorization
  • Handling user input
  • Working with sensitive data
  • Configuring CORS
  • Managing secrets

OWASP Top 10 Prevention

RiskPrevention
InjectionParameterized queries, input validation
Broken AuthStrong passwords, MFA, secure sessions
Sensitive DataEncryption, minimal exposure
XXEDisable external entities
Broken AccessRBAC, default deny
MisconfigSecure defaults, disable debug
XSSOutput encoding, CSP
Insecure DeserializationValidate before deserialize
Vulnerable ComponentsUpdate dependencies regularly
Insufficient LoggingLog security events

Input Validation Rules

Data TypeValidation Requirements
EmailRegex pattern, max 255 chars
UsernameAlphanumeric + underscore, 3-50 chars
PasswordMin 8 chars, upper, lower, number, special
PhoneRegex for format
URLProtocol whitelist (https)
File uploadExtension whitelist, MIME check, size limit
IDsUUID format or positive integer
Free textMax length, HTML sanitization

Validation Principles

  • Validate on server side (never trust client)
  • Whitelist over blacklist
  • Validate early, fail fast
  • Return specific error messages

SQL Injection Prevention

Rules

  • ALWAYS use parameterized queries or ORM
  • NEVER concatenate user input into SQL
  • Use stored procedures where appropriate
  • Limit database user permissions

Example Pattern

code
# BAD: query = f"SELECT * FROM users WHERE id = {user_id}"
# GOOD: Use ORM or parameterized query with placeholder

XSS Prevention

Rules

  • Use framework's default escaping (React, Angular)
  • Avoid dangerouslySetInnerHTML / innerHTML
  • Sanitize HTML if dynamic content required
  • Implement Content Security Policy (CSP)

CSP Headers

  • default-src 'self'
  • script-src 'self' (avoid 'unsafe-inline')
  • style-src 'self' 'unsafe-inline'
  • img-src 'self' data: https:

Authentication Standards

Password Requirements

  • Minimum 8 characters
  • Must contain: uppercase, lowercase, number, special char
  • Hash with bcrypt (cost 12+) or Argon2
  • Never store plain text

JWT Token Rules

  • Access token: 15 minutes expiry
  • Refresh token: 7 days expiry
  • Store in HttpOnly cookies (not localStorage)
  • Include iat, exp, sub claims
  • Sign with HS256 or RS256

Session Security

  • Regenerate session ID after login
  • Set secure, HttpOnly, SameSite cookie flags
  • Implement session timeout
  • Invalidate on logout

Authorization Patterns

RBAC (Role-Based Access Control)

  • Define roles: Admin, Editor, Viewer
  • Map permissions to roles
  • Check permissions on every request
  • Default deny, explicit allow

Resource Authorization

  • Verify resource ownership
  • Check user can access specific resource
  • Don't rely on obscurity (hidden URLs)

Secret Management

Rules

  • NEVER commit secrets to git
  • Use environment variables
  • Use secret managers in production (Vault, AWS Secrets)
  • Rotate secrets regularly
  • Different secrets per environment

.gitignore Must Include

code
.env
.env.*
*.pem
*.key
credentials.json
secrets.json

CORS Configuration

Rules

  • NEVER use * origin in production
  • Whitelist specific origins
  • Limit allowed methods
  • Limit allowed headers
  • Set appropriate max-age

Production Settings

  • Access-Control-Allow-Origin: specific domains only
  • Access-Control-Allow-Credentials: true if needed
  • Access-Control-Allow-Methods: only needed methods
  • Access-Control-Max-Age: 600 (10 minutes)

Rate Limiting

Default Limits

Endpoint TypeLimit
Login5/minute
Password reset3/hour
API general100/minute
File upload10/minute

Headers to Return

  • X-RateLimit-Limit
  • X-RateLimit-Remaining
  • X-RateLimit-Reset
  • Retry-After (on 429)

Security Headers

HeaderValue
X-Content-Type-Optionsnosniff
X-Frame-OptionsDENY
X-XSS-Protection1; mode=block
Referrer-Policystrict-origin-when-cross-origin
Strict-Transport-Securitymax-age=31536000; includeSubDomains
Content-Security-Policydefault-src 'self'

File Upload Security

Validation Steps

  1. Check file extension (whitelist)
  2. Verify MIME type (magic bytes, not header)
  3. Enforce size limit
  4. Generate new filename (UUID)
  5. Store outside web root
  6. Scan for malware if possible

Allowed Extensions Example

  • Images: .jpg, .jpeg, .png, .gif, .webp
  • Documents: .pdf, .doc, .docx
  • Max size: 10MB typical

Security Checklist

Authentication

  • Passwords hashed with bcrypt/argon2
  • JWT tokens have short expiry
  • Refresh tokens in HttpOnly cookies
  • Failed logins rate-limited
  • Password reset tokens one-time use

Authorization

  • All endpoints have explicit authorization
  • Default deny policy
  • Resource ownership verified
  • Admin functions extra protected

Input

  • All input validated server-side
  • File uploads validated (extension, MIME, size)
  • SQL uses parameterized queries
  • URLs validated before redirect

Data

  • Sensitive data encrypted at rest
  • HTTPS enforced
  • Secrets not in code/git
  • PII minimized

Headers

  • Security headers configured
  • CORS restricted
  • Error messages don't leak internals
  • Debug mode disabled in production