Security Best Practices Skill
Overview
This skill provides security guidelines following OWASP Top 10, secure coding patterns, authentication/authorization best practices, secrets management, and vulnerability prevention across multiple languages.
OWASP Top 10 Summary
- •Injection - Use parameterized queries, never concatenate user input into SQL/commands
- •Broken Authentication - Implement strong passwords, secure sessions, rate limiting
- •Sensitive Data Exposure - Encrypt data at rest, use HTTPS, hash passwords
- •XML External Entities (XXE) - Disable external entities in XML parsers
- •Broken Access Control - Enforce authorization checks, implement resource-level controls
- •Security Misconfiguration - Secure defaults, minimal privileges, regular updates
- •Cross-Site Scripting (XSS) - Escape output, sanitize input, use CSP headers
- •Insecure Deserialization - Use JSON instead of pickle, validate data
- •Known Vulnerabilities - Regular dependency scanning, keep components updated
- •Insufficient Logging - Log security events, monitor for anomalies
Quick Security Checklist
Input Validation
- • Validate all user input on server side
- • Use allowlists, not denylists
- • Sanitize data before display (prevent XSS)
- • Validate file uploads (type, size, extension)
Authentication
- • Use strong password requirements (12+ chars, complexity)
- • Hash passwords with bcrypt/Argon2 (not MD5/SHA1)
- • Implement rate limiting on login endpoints
- • Use secure session management (HttpOnly, Secure, SameSite)
Authorization
- • Check permissions on every request
- • Implement principle of least privilege
- • Use resource-level access controls
- • Never rely on client-side checks
Data Protection
- • Encrypt sensitive data at rest
- • Use TLS 1.2+ for all connections
- • Set security headers (HSTS, CSP, X-Frame-Options)
- • Never log sensitive data (passwords, tokens, PII)
Secrets Management
- • Use environment variables or secret managers
- • Never commit secrets to version control
- • Rotate secrets regularly
- • Use different secrets per environment
Common Vulnerabilities Prevention
SQL Injection
python
# ✅ SAFE: Parameterized query
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
# ❌ UNSAFE: String concatenation
query = f"SELECT * FROM users WHERE id = '{user_id}'"
XSS Prevention
python
# ✅ SAFE: Template auto-escaping
return render_template('profile.html', username=username)
# ❌ UNSAFE: Raw HTML
return f"<div>{user_input}</div>"
Command Injection
python
# ✅ SAFE: Use list, not shell
subprocess.run(["ls", "-la", directory], shell=False)
# ❌ UNSAFE: Shell with user input
os.system(f"ls -la {directory}")
Language-Specific Patterns
See detailed guides in references/:
- •OWASP Top 10 Details - Comprehensive prevention for all 10 categories
- •Secure Coding - Python - Python-specific security patterns
- •Secure Coding - JavaScript - Node.js/Frontend security
- •Secure Coding - Go - Go security patterns
- •Secrets Management - AWS, Vault, GCP secret management
Security Headers
Always include these headers:
code
Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block Content-Security-Policy: default-src 'self' Referrer-Policy: strict-origin-when-cross-origin
When to Use This Skill
Use this skill when:
- •Implementing authentication and authorization systems
- •Handling user input and data validation
- •Setting up HTTPS and security headers
- •Managing secrets and credentials
- •Configuring CORS and CSP policies
- •Reviewing code for security vulnerabilities
- •Setting up logging and monitoring
- •Configuring Docker and deployment security
Related Skills
- •
@docker-patterns- Container security hardening - •
@ci-cd-pipelines- Security scanning in CI/CD - •
@api-rest-design- API security patterns - •
@postgresql-patterns- Database security - •
@feature-development- Secure development workflow