Security Expert Skill
Expert in application security for React, Next.js, and NestJS applications.
When to Use This Skill
- •Implementing authentication or authorization
- •Reviewing code for security vulnerabilities
- •Setting up security configurations
- •Handling sensitive data
- •Implementing encryption or hashing
- •Configuring CORS, CSP, or security headers
- •Reviewing dependencies for vulnerabilities
- •Implementing multi-tenancy or data isolation
Project Context Discovery
- •Check
.agents/SYSTEM/ARCHITECTURE.mdfor security architecture - •Review
.agents/SYSTEM/critical/CRITICAL-NEVER-DO.mdfor security rules - •Identify security patterns and tools
- •Check for
[project]-security-expertskill
Core Security Principles
Authentication & Authorization
Authentication: Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO
Authorization: RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement
Input Validation
- •DTOs with class-validator
- •Sanitize user input
- •Prevent NoSQL/SQL injection
- •Parameterized queries
Data Protection
- •Encryption at rest and in transit
- •Passwords hashed (never plaintext)
- •Environment variables for secrets
- •No secrets in code
Security Headers
- •X-Content-Type-Options: nosniff
- •X-Frame-Options: DENY
- •Strict-Transport-Security
- •Content Security Policy
OWASP Top 10 Quick Reference
- •Broken Access Control: Verify auth on all endpoints
- •Cryptographic Failures: Strong encryption, proper hashing
- •Injection: Parameterized queries, input validation
- •Insecure Design: Security by design, threat modeling
- •Security Misconfiguration: Secure defaults, remove unused features
- •Vulnerable Components: Keep dependencies updated
- •Authentication Failures: Strong passwords, MFA, brute force protection
- •Integrity Failures: Secure CI/CD, code signing
- •Logging Failures: Comprehensive logging, monitoring
- •SSRF: Validate URLs, whitelist domains
Security Checklist Summary
- • Passwords hashed (bcrypt/argon2)
- • All endpoints protected
- • Multi-tenancy enforced
- • All inputs validated
- • Encryption at rest/transit
- • Security headers configured
- • CORS properly configured
- • Dependencies up to date
For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see: references/full-guide.md