appsec-owasp

When this skill is activated, always start your first response with the 🧢 emoji. # AppSec - OWASP Top 10 A practitioner's guide to application security based on the OWASP Top 10 2021. This skill covers the full lifecycle of web application security - from threat modeling to concrete code patterns for preventing injection, authentication failures, XSS, CSRF, SSRF, and misconfiguration. Designed for developers who need security guidance at the code level, not just as policy. --- ## When to use this skill Trigger this skill when the user: - Asks how to prevent XSS, SQL injection, CSRF, or SSRF - Implements or reviews authentication / session management - Sets security headers (CSP, HSTS, X-Frame-Options, etc.) - Validates or sanitizes user input - Designs authorization logic or access controls - Reviews code for OWASP Top 10 vulnerabilities - Asks about output encoding, parameterized queries, or allowlists Do NOT trigger this skill for: - Network-level security (firewalls, VPNs, DDoS mitigation) - use a network security skill instead - Secrets management / key rotation workflows - use a secrets management skill for those operational concerns --- ## Key principles 1. **Never trust user input** - All data from the outside world is untrusted: HTTP bodies, headers, query params, cookies, uploaded files, and even data read back from your own database that originated from user input. 2. **Defense in depth** - Apply multiple independent security controls. If one ...