pitfalls-securitylisted

Security patterns for session keys, caching, logging, and environment variables. Use when implementing authentication, caching sensitive data, or setting up logging. Triggers on: session key, private key, cache, logging, secrets, environment variable.
aiskillstore/marketplace · ★ 329 · Data & Documents · score 79

Install: claude install-skill aiskillstore/marketplace

# Security Pitfalls Common pitfalls and correct patterns for security. ## When to Use - Implementing session key management - Caching data (especially sensitive) - Setting up structured logging - Handling environment variables - Reviewing security-sensitive code ## Workflow ### Step 1: Check Key Storage Verify no private keys stored in plaintext. ### Step 2: Verify Cache Safety Ensure sensitive data not cached inappropriately. ### Step 3: Check Logging Confirm no secrets in logs. --- ## Session Key Security ```typescript // ❌ NEVER store private keys localStorage.setItem('privateKey', key); // CATASTROPHIC // ✅ Use session keys with limited permissions interface SessionKey { address: Address; permissions: Permission[]; expiresAt: Date; maxPerTrade: bigint; } // ✅ AES-256-GCM for any stored credentials import { createCipheriv, randomBytes } from 'crypto'; const iv = randomBytes(16); const cipher = createCipheriv('aes-256-gcm', key, iv); // ✅ Audit logging for all key operations await auditLog.create({ action: 'SESSION_KEY_CREATED', userId, metadata: { permissions, expiresAt }, }); ``` ## Environment Variables ```typescript // Frontend (Vite) const apiUrl = import.meta.env.VITE_API_URL; // ✅ VITE_ prefix required // ❌ process.env.API_URL won't work in frontend // Backend const dbUrl = process.env.DATABASE_URL; // ❌ NEVER log secrets console.log('Config:', config); // May contain secrets! // ✅ Log safely console.log('Config loaded for:', conf