security-patternslisted

Security checklist covering XSS, injection, authentication, authorization, sessions, CSRF, CSP, secrets, dependency CVEs, input validation, and severity calls. Use whenever the project includes auth code, session handling, environment variable reads, user input handling, route handlers, server actions, middleware, or external API calls, OR the user asks about security, hardening, vulnerabilities, auth, authentication, authorization, sessions, cookies, XSS, CSRF, SQL injection, secrets, environment variables, CSP, headers, or reviews changes that touch user input, auth, or external data, even if "security" is not mentioned by name.
ku5ic/dotfiles · ★ 0 · API & Backend · score 72

Install: claude install-skill ku5ic/dotfiles

# Security patterns Apply the references that match the detected stack. Severity rubric below applies cross-cuttingly. ## Severity rubric - `failure`: exploitable, or direct leak of credentials, or missing CSRF on authenticated mutating endpoint. - `warning`: mitigated but weak (e.g. CSP present but with `unsafe-inline`), or pattern that will become exploitable if misused. - `info`: hardening opportunity, not currently exploitable. ## Reference files | File | Covers | | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- | | [reference/anti-patterns.md](reference/anti-patterns.md) | Cross-cutting severity-labeled anti-patterns: SQLi, XSS injection, CSRF, secrets | | [reference/frontend.md](reference/frontend.md) | XSS, Next.js client/server boundary, auth/sessions, JWT vs sessions, strict CSP (nonce/strict-dynamic/hash) | | [reference/backend-django.md](reference/backend-django.md) | ORM safety, views/middleware, auth, templates, file uploads | | [reference/backend-node.md](reference/backend-node.md) | Express/Fastify/Nest hardening, CSRF on JSON-only APIs | |