defending-applications

Solid

Application security defense knowledge for builders, not pentesters. Covers Web/API/GraphQL hardening (XSS/SQLi/SSRF/IDOR/BOLA/Mass Assignment/deserialization/upload/path traversal), authentication/authorization (OAuth 2.0/OIDC/JWT/Session/Cookie/SAML/SSO), and LLM application security (prompt injection, jailbreak, RAG poisoning, agent privilege escalation, output filtering). Use when designing or reviewing application-layer defenses, fixing CVE-class bugs in your own code, hardening auth flows, or threat-modeling LLM-powered features. Do NOT use for offensive testing (see securing-systems/pentest), incident response (see securing-systems/blue-team), or infra-layer hardening (see provisioning-infrastructure).

AI & Automation 228 stars 30 forks Updated today MIT

Install

View on GitHub

Quality Score: 91/100

Stars 20%

Recency 20%

100

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# 应用安全防御 · 镇魔甲 > **开发侧防御秘典**：站在 builder 一侧，把漏洞挡在合并前。 > 不教渗透，只教"如何写出杀不动的代码"和"如何把已生漏洞最小代价闭环"。 > 信级：项目源码/lock 文件 > 框架官方安全文档 > CVE/CWE > 训练记忆（标 `[unverified]`）。 ## 路由 | 意图 | 加载 | 触发词 | |------|------|--------| | Web/API/GraphQL 漏洞防御 | [web-api-appsec](references/web-api-appsec.md) | XSS, SQLi, SSRF, BOLA, IDOR, Mass Assignment, GraphQL, 反序列化, 文件上传, 路径遍历, XXE, OWASP | | 认证授权与会话 | [oauth-and-sessions](references/oauth-and-sessions.md) | OAuth, OIDC, JWT, SSO, SAML, Session, Cookie, PKCE, refresh token, kid 注入 | | LLM 应用安全 | [llm-appsec](references/llm-appsec.md) | Prompt 注入, 越狱, 越权调用, RAG 投毒, agent tool 滥用, 输出过滤, jailbreak | ## 何时使用 | 场景 | 使用本 skill | 使用其他 | |------|--------------|----------| | review 自家代码、修 CVE、设计鉴权 | ✅ 本 skill | — | | 写 SAST 规则、Semgrep 模式 | ✅ 本 skill + securing-systems/code-audit | — | | 设计 LLM 应用的 guardrail | ✅ llm-appsec | + building-agent-systems/llm-security | | 红队渗透、写 PoC 攻击别人 | ❌ | securing-systems/pentest | | 处理已发生的入侵、日志取证 | ❌ | securing-systems/blue-team | | 容器/K8s/CI 加固 | ❌ | provisioning-infrastructure | | 设计零信任、身份架构 | 部分（OAuth/SSO 内） | architecting-security | ## 联动 - **securing-systems/code-audit**：本 skill 给"怎么修"，code-audit 给"怎么找"。 - **securing-systems/pentest**：攻方视角验证本 skill 的修复是否真正闭环。 - **analyzing-security**：自动化扫描胶水；本 skill 提供规则语义。 - **building-agent-systems/llm-security**：agent 内部细节；本 skill 关注应用边界。 - **designing-architectures**：威胁建模、API 设计；本 skill 关注落地代码。 ## 执行链 ``` 威胁建模 → 入口梳理 → source→sink 追踪 → 防御层选型 → 最小修复 → 回归测试 → 检测信号埋点 ``` 每个漏洞的修复必须...

Details

Author: telagod
Repository: telagod/code-abyss
Created: 4 months ago
Last Updated: today
Language: JavaScript
License: MIT

Integrates with

OAuth · Auth GraphQL · API

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

securing-systems

Security engineering router for authorized assessments and defensive engineering. Covers penetration testing, code auditing, red/blue/purple team operations, threat intelligence, and vulnerability research. For specialized application security, cloud security, detection engineering, or security architecture, route to dedicated skills (defending-applications, securing-cloud-and-supply-chain, detecting-and-responding, architecting-security).

228 Updated today

telagod

Testing & QA Listed

security-specialist

安全专家。专注于应用安全、威胁建模、安全合规和数据保护。提供安全审查、漏洞扫描、安全配置和合规检查。用于构建安全可靠的应用系统。

39 Updated 5 days ago

huangwb8

AI & Automation Solid

securing-cloud-and-supply-chain

云原生与软件供应链安全防御。容器/K8s 加固、Service Mesh、CI/CD 安全、SLSA/SBOM/Sigstore、云 IAM、Secrets 管理、IaC 安全。Use when hardening Kubernetes clusters, auditing CI/CD pipelines, implementing supply chain security, managing cloud IAM, or reviewing IaC code.

228 Updated today

telagod