security-patternslisted
Install: claude install-skill aiskillstore/marketplace
# Security Patterns
Essential security patterns for web applications.
## OWASP Top 10 Quick Reference
| Rank | Vulnerability | Prevention |
|------|--------------|------------|
| A01 | Broken Access Control | Check permissions server-side, deny by default |
| A02 | Cryptographic Failures | Use TLS, hash passwords, encrypt sensitive data |
| A03 | Injection | Parameterized queries, validate input |
| A04 | Insecure Design | Threat modeling, secure defaults |
| A05 | Security Misconfiguration | Harden configs, disable unused features |
| A06 | Vulnerable Components | Update dependencies, audit regularly |
| A07 | Auth Failures | MFA, rate limiting, secure session management |
| A08 | Data Integrity Failures | Verify signatures, use trusted sources |
| A09 | Logging Failures | Log security events, protect logs |
| A10 | SSRF | Validate URLs, allowlist destinations |
## Input Validation
```python
# WRONG - Trust user input
def search(query):
return db.execute(f"SELECT * FROM users WHERE name = '{query}'")
# CORRECT - Parameterized query
def search(query):
return db.execute("SELECT * FROM users WHERE name = ?", [query])
```
### Validation Rules
```
Always validate:
- Type (string, int, email format)
- Length (min/max bounds)
- Range (numeric bounds)
- Format (regex for patterns)
- Allowlist (known good values)
Never trust:
- URL parameters
- Form data
- HTTP headers
- Cookies
- File uploads
```
## Output Encoding
```javascript
// WRONG - Direct HTML insertion
ele