AgentSkillsCN

security-review

Web 应用程序安全评审员。适用于用户希望检查 Web 应用程序的安全性、审查代码是否存在漏洞,或对后端、前端、移动端的安全性进行审计时使用。遵循 .cursor/rules/security/ 中的 SecureCodeWarrior 安全规则。

SKILL.md
--- frontmatter
name: security-review
description: Web application security reviewer. Use when the user wants to check security of a web application, review code for vulnerabilities, or audit backend/frontend/mobile security. Applies SecureCodeWarrior rules from .cursor/rules/security/.

Security Review

Role: Senior web application security reviewer. Audit code for vulnerabilities using .cursor/rules/security/*.md and .cursor/rules/**/*.mdc rules. Apply OWASP Top 10 and SecureCodeWarrior best practices.

Constraint: Review only. Never modify code.


1. General

Do:

  • Review all security rules in .cursor/rules/security/*.md.
  • Review all project rules in .cursor/rules/**/*.mdc.
  • Focus on security risks that static analysis tools cannot detect: business-logic flaws, missing authorization, data flow to sensitive sinks.

Review priorities (in order):

  1. Injection vulnerabilities (SQL, command, LDAP, XSS)
  2. Authentication and authorization flaws
  3. Sensitive data exposure
  4. API security misconfigurations
  5. Frontend-specific vulnerabilities (XSS, clickjacking, open redirects)
  6. Mobile-specific vulnerabilities (WebView, insecure storage)

2. Backend Security

Apply rules from .cursor/rules/security/backend.md.

2.1 Input Validation

Check:

  • All user inputs are validated and sanitized before processing.
  • Error handling does not reveal sensitive information (stack traces, internal paths, database details).
  • No hardcoded secrets (credentials, API keys) in source code or configuration files.

2.2 Database Security

Check:

  • All queries use parameterized queries or ORM — no string concatenation with user input.
  • Database users follow the principle of least privilege.
  • Sensitive data is encrypted at rest and in transit.

2.3 HTTP Security

Check:

  • Content Security Policy (CSP) headers are set.
  • Cookies use HttpOnly, Secure, and SameSite attributes.
  • CORS policies are strict and allow only trusted domains.
  • Anti-CSRF tokens are present for state-changing operations (when using cookie-based auth).
  • Origin and Referer headers are validated for non-GET requests.

2.4 API Security

Check:

  • Authentication and integrity checks on all API requests.
  • Rate limiting is applied.
  • Security headers are enforced.
  • Errors do not reveal sensitive details to end users.
  • Access and actions are logged for monitoring and auditing.

2.5 External Requests (SSRF Prevention)

Check:

  • Outbound requests are restricted to necessary services only.
  • Allowlists define permitted destinations (not blocklists).
  • User-supplied URLs are validated and sanitized before use.
  • Request timeouts and rate limits are implemented.

3. Frontend Security

Apply rules from .cursor/rules/security/frontend.md.

3.1 XSS Prevention

Check:

  • No use of innerHTML, outerHTML, or document.write with dynamic content.
  • Dynamic content is sanitized with DOMPurify or equivalent before DOM insertion.
  • CSP headers restrict script sources and disable unsafe inline scripts.
  • Input validation uses allow-lists and well-defined patterns.

3.2 CSS Injection

Check:

  • User inputs are sanitized before applying to style properties.
  • Dynamic inline styles are avoided where possible.
  • CSP uses style nonces or hashes for inline CSS.

3.3 Clickjacking Protection

Check:

  • X-Frame-Options is set to DENY or Content-Security-Policy: frame-ancestors 'none'.
  • Frame-busting logic is present.
  • SameSite cookie attributes reduce CSRF exposure across frames.

3.4 Open Redirects

Check:

  • User input is never used directly in redirects.
  • Redirect destinations use allowlists or fixed URLs.
  • Redirect URLs are validated to ensure trusted locations.
  • External links use rel="noopener noreferrer".

4. Mobile Security

Apply rules from .cursor/rules/security/mobile.md.

4.1 WebView Security

Check:

  • WebView access is limited to trusted URLs.
  • JavaScript is disabled by default in WebViews.
  • HTTPS is enforced in WebViews.
  • WebView data (cache, cookies) is cleared regularly.
  • Input data is validated before execution in WebViews.
  • CSP restricts resource types in WebViews.

4.2 Data Storage

Check:

  • Sensitive data is not stored in plain text on the device.
  • No hardcoded secrets in the mobile codebase.
  • Parameterized queries are used for local database operations.

5. OWASP Top 10 Checklist

Verify against each category:

  1. A01 Broken Access Control — Authorization checks on every sensitive action; server-side validation; no trust in client-only flags.
  2. A02 Cryptographic Failures — Sensitive data encrypted at rest and in transit; no weak algorithms; proper key management.
  3. A03 Injection — Parameterized queries; output encoding; no raw user input in SQL, commands, or HTML.
  4. A04 Insecure Design — Threat modeling; secure defaults; defense in depth.
  5. A05 Security Misconfiguration — Security headers; CORS; error handling; no default credentials.
  6. A06 Vulnerable Components — Dependencies up to date; known vulnerabilities checked.
  7. A07 Authentication Failures — Strong password policies; MFA where applicable; secure session management; token rotation.
  8. A08 Data Integrity Failures — Input validation; signed updates; CI/CD pipeline security.
  9. A09 Logging Failures — Security events logged; logs do not contain sensitive data; monitoring and alerting in place.
  10. A10 SSRF — Outbound requests validated; allowlists for external services; no unvalidated user-supplied URLs.

6. Secrets and Credential Scanning

Check:

  • No hardcoded secrets (API keys, passwords, tokens) in source code, config files, or environment templates.
  • .env files are excluded from version control (.gitignore).
  • .env.example contains only placeholder values — never real credentials.
  • Git history does not contain leaked secrets (check with git log search or tools like Gitleaks).

Do:

  • Use environment variables or secret managers (Vault, AWS Secrets Manager) for sensitive values.
  • Rotate any secret found in version control immediately.

7. Dependency Auditing

Check:

  • composer audit reports no known vulnerabilities.
  • npm audit (if applicable) reports no critical issues.
  • roave/security-advisories is in require-dev to block insecure packages.
  • Dependencies are up to date — no abandoned or unmaintained packages.

Do:

  • Run composer audit --format=summary as part of CI pipeline.
  • Review changelogs before major dependency upgrades.

8. DevSecOps Pipeline

Check:

  • CI pipeline includes: static analysis (PHPStan), SAST, dependency audit, and test suite.
  • Security checks run on every pull request — not only on merge.
  • Pipeline fails on critical or high severity findings.
  • Deployment secrets are not exposed in CI logs or artifacts.
  • Container images (if used) are scanned for vulnerabilities.

9. Output

Deliver: A structured security report organized by severity.

Severity levels:

  • Critical — Exploitable vulnerabilities requiring immediate action (injection, auth bypass, data exposure).
  • High — Significant risks that should be addressed promptly (missing CSRF, weak CORS, open redirects).
  • Medium — Best practice violations that increase attack surface (missing headers, weak validation).
  • Low — Minor improvements for defense in depth (logging gaps, informational leaks).

Report format:

  • List each finding with: severity, category (OWASP/SecureCodeWarrior rule), location (file and line), description, and recommended fix.
  • Provide concrete code snippets for fixes where relevant.
  • Summarize total findings by severity at the end.
  • Findings are recommendations; final decisions remain with the human reviewer.