playbooks

home / skills / 0xdarkmatter / claude-mods / security-patterns

security-patterns skill

/skills/security-patterns

This skill helps you apply OWASP security patterns and input validation to harden web apps, reducing injection risks and protecting data.

npx playbooks add skill 0xdarkmatter/claude-mods --skill security-patterns

Review the files below or copy the command above to add this skill to your agents.

Files (8)
SKILL.md
4.8 KB
---
name: security-patterns
description: "Security patterns and OWASP guidelines. Triggers on: security review, OWASP, XSS, SQL injection, CSRF, authentication, authorization, secrets management, input validation, secure coding."
compatibility: "Language-agnostic patterns with framework-specific examples in references."
allowed-tools: "Read Write Bash Grep"
---

# Security Patterns

Essential security patterns for web applications.

## OWASP Top 10 Quick Reference

| Rank | Vulnerability | Prevention |
|------|--------------|------------|
| A01 | Broken Access Control | Check permissions server-side, deny by default |
| A02 | Cryptographic Failures | Use TLS, hash passwords, encrypt sensitive data |
| A03 | Injection | Parameterized queries, validate input |
| A04 | Insecure Design | Threat modeling, secure defaults |
| A05 | Security Misconfiguration | Harden configs, disable unused features |
| A06 | Vulnerable Components | Update dependencies, audit regularly |
| A07 | Auth Failures | MFA, rate limiting, secure session management |
| A08 | Data Integrity Failures | Verify signatures, use trusted sources |
| A09 | Logging Failures | Log security events, protect logs |
| A10 | SSRF | Validate URLs, allowlist destinations |

## Input Validation

```python
# WRONG - Trust user input
def search(query):
    return db.execute(f"SELECT * FROM users WHERE name = '{query}'")

# CORRECT - Parameterized query
def search(query):
    return db.execute("SELECT * FROM users WHERE name = ?", [query])
```

### Validation Rules
```
Always validate:
- Type (string, int, email format)
- Length (min/max bounds)
- Range (numeric bounds)
- Format (regex for patterns)
- Allowlist (known good values)

Never trust:
- URL parameters
- Form data
- HTTP headers
- Cookies
- File uploads
```

## Output Encoding

```javascript
// WRONG - Direct HTML insertion
element.innerHTML = userInput;

// CORRECT - Text content (auto-escapes)
element.textContent = userInput;

// CORRECT - Template with escaping
render(`<div>${escapeHtml(userInput)}</div>`);
```

### Encoding by Context
| Context | Encoding |
|---------|----------|
| HTML body | HTML entity encode |
| HTML attribute | Attribute encode + quote |
| JavaScript | JS encode |
| URL parameter | URL encode |
| CSS | CSS encode |

## Authentication

```python
# Password hashing (use bcrypt, argon2, or scrypt)
import bcrypt

def hash_password(password: str) -> bytes:
    return bcrypt.hashpw(password.encode(), bcrypt.gensalt(rounds=12))

def verify_password(password: str, hashed: bytes) -> bool:
    return bcrypt.checkpw(password.encode(), hashed)
```

### Auth Checklist
- [ ] Hash passwords with bcrypt/argon2 (cost factor 12+)
- [ ] Implement rate limiting on login
- [ ] Use secure session tokens (random, long)
- [ ] Set secure cookie flags (HttpOnly, Secure, SameSite)
- [ ] Implement account lockout after failed attempts
- [ ] Support MFA for sensitive operations

## Authorization

```python
# WRONG - Check only authentication
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    post.delete()

# CORRECT - Check authorization
@login_required
def delete_post(post_id):
    post = Post.get(post_id)
    if post.author_id != current_user.id and not current_user.is_admin:
        raise Forbidden("Not authorized to delete this post")
    post.delete()
```

## Secrets Management

```bash
# WRONG - Hardcoded secrets
API_KEY = "sk-1234567890abcdef"

# CORRECT - Environment variables
API_KEY = os.environ["API_KEY"]

# BETTER - Secrets manager
API_KEY = secrets_client.get_secret("api-key")
```

### Secret Handling Rules
```
DO:
- Use environment variables or secrets manager
- Rotate secrets regularly
- Use different secrets per environment
- Audit secret access

DON'T:
- Commit secrets to git
- Log secrets
- Include secrets in error messages
- Share secrets in plain text
```

## Security Headers

```
Content-Security-Policy: default-src 'self'; script-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), camera=()
```

## Quick Security Audit

```bash
# Find hardcoded secrets
rg -i "(password|secret|api_key|token)\s*=\s*['\"][^'\"]+['\"]" --type py

# Find SQL injection risks
rg "execute\(f['\"]|format\(" --type py

# Find eval/exec usage
rg "\b(eval|exec)\s*\(" --type py

# Check for TODO security items
rg -i "TODO.*security|FIXME.*security"
```

## Additional Resources

- `./references/owasp-detailed.md` - Full OWASP Top 10 details
- `./references/auth-patterns.md` - JWT, OAuth, session management
- `./references/crypto-patterns.md` - Encryption, hashing, signatures
- `./references/secure-headers.md` - HTTP security headers guide

## Scripts

- `./scripts/security-scan.sh` - Quick security grep patterns
- `./scripts/dependency-audit.sh` - Check for vulnerable dependencies

Overview

This skill provides practical security patterns and OWASP-guided checks for web applications. It focuses on common vulnerabilities—XSS, SQL injection, CSRF, authentication/authorization, secrets handling—and delivers actionable checks and remediation patterns. Use it to run quick audits, harden code paths, and apply proven prevention techniques.

How this skill works

The skill inspects code and configuration for risky patterns (hardcoded secrets, string-based SQL queries, unsafe output insertion, missing headers). It recommends fixes like parameterized queries, context-aware encoding, secure password hashing, and secrets management. It also provides quick audit commands and a checklist-driven approach to verify controls are in place.

When to use it

  • During code reviews or pull requests to flag insecure patterns
  • When assessing an app against OWASP Top 10 risks
  • Before production deployment to verify secure defaults and headers
  • When rotating secrets or auditing credential leaks
  • When adding or changing authentication and authorization logic

Best practices

  • Validate input by type, length, range, format, and using allowlists where possible
  • Use parameterized queries and avoid building SQL with string interpolation
  • Encode output based on context (HTML, attribute, JS, URL, CSS) before rendering user data
  • Hash passwords with bcrypt/argon2 (cost >= 12), enable MFA, and rate-limit login attempts
  • Store secrets in environment variables or a secrets manager; never commit or log secrets
  • Set security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy) and keep dependencies updated

Example use cases

  • Run quick grep-based scans to find hardcoded secrets and risky eval/exec usage
  • Replace vulnerable string SQL calls with parameterized queries across the codebase
  • Add CSP and HSTS headers to the web server configuration before launch
  • Audit authentication flows: enforce secure cookies, session rotation, and account lockout policies
  • Implement output encoding for user-generated content to prevent XSS

FAQ

How do I stop SQL injection in my app?

Use parameterized queries or prepared statements everywhere and validate/normalize user input. Avoid string interpolation for SQL and review any dynamically built queries.

What is the simplest way to stop XSS?

Encode output according to the rendering context (use textContent instead of innerHTML, escape HTML entities, and use template rendering that auto-escapes). Also validate input and use a strict CSP.

Where should secrets live?

Use environment variables for runtime configuration and a secrets manager for production credentials. Rotate secrets regularly and audit access; never store secrets in source control.