← ClaudeAtlas

nodejs-express-securitylisted

Security audit for Node.js HTTP servers using Express, Koa, Hapi, or plain http/https — covering middleware ordering, body parser config, helmet usage, session management with express-session, CORS configuration, error handling, file upload patterns (multer/busboy), and common Node-specific vulnerabilities like prototype pollution, ReDoS, and event loop blocking. Use this skill whenever the user mentions Express, Koa, Hapi, express-session, helmet, multer, body-parser, Node.js server, npm packages with known CVEs, or asks "audit my Express app", "Node.js security review", "is my Express middleware safe", "Koa security". Trigger when the codebase contains `require('express')`, `from 'express'`, `express()`, `new Koa()`, or similar Node HTTP server patterns.
hlsitechio/claude-skills-security · ★ 1 · API & Backend · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Node.js HTTP Server Security Audit Audit Node.js backend code for vulnerabilities in HTTP servers built on Express, Koa, Hapi, or the standard library. Defensive find-and-fix. ## When this skill applies - Reviewing Express / Koa / Hapi route handlers and middleware - Auditing middleware order and configuration - Reviewing file upload pipelines - Checking error handling for info disclosure - Identifying Node-specific risks (prototype pollution, event loop blocking, ReDoS, path traversal) - Reviewing third-party Node packages for known issues Use other skills for: NestJS (`nestjs-security`), Fastify (`fastify-security`), Hono (`hono-security`), Next.js API routes (`nextjs-security`), ORM-specific concerns (`prisma-orm-security`, `mongoose-mongodb-security`), generic patterns (`saas-security-pack/saas-code-security-review`). ## Workflow Follow `../_shared/audit-workflow.md`. Node-specific notes below. ### Phase 1: Stack detection ```bash # Identify framework node -e "const p=require('./package.json'); console.log(Object.keys({...p.dependencies, ...p.devDependencies}).filter(k => /^(express|koa|hapi|fastify|nestjs|hono)$/.test(k)))" # Node version node --version grep '"node":' package.json ``` ### Phase 2: Inventory ```bash # Entry point grep -E '"main"|"start"' package.json # Route definitions grep -rn 'app\.\(get\|post\|put\|delete\|patch\|use\)\|router\.\(get\|post\)' src/ | head -50 # Middleware chain (often in app.js / server.js / index.js) grep -rn 'app\.use(