security-best-practiceslisted

# 🔐 Security Best Practices Skill > **Philosophy:** Security is not optional. Build it in from the start. ## When to Use Use this skill when: - Implementing authentication/authorization - Handling user input - Working with sensitive data - Doing security code review - Building user-facing features - Setting up deployment/infrastructure **Do NOT use this skill when:** - Just formatting code - Pure UI/styling changes - No user data involved --- ## Prerequisites Before starting: - [ ] Understand what data you're handling - [ ] Know your threat model (who might attack) - [ ] Have access to codebase - [ ] Understand the tech stack --- ## OWASP Top 10 Quick Reference ### 1. Broken Access Control (A01:2021) **What:** Users can access data/functions they shouldn't. **Prevention:** ```typescript // ❌ Bad: No authorization check app.get('/users/:id', async (req, res) => { const user = await db.users.findById(req.params.id); res.json(user); }); // ✅ Good: Check ownership app.get('/users/:id', authorize(), async (req, res) => { const user = await db.users.findById(req.params.id); if (user.id !== req.user.id && req.user.role !== 'admin') { throw new ForbiddenException(); } res.json(user); }); ``` **Checklist:** - [ ] Default deny (require explicit permission) - [ ] Verify ownership of resources - [ ] Role-based access control implemented - [ ] Admin functions protected - [ ] CORS configured correctly --- ### 2. Cryptographic Failures (A02:2021) **Wh