home / skills / deve1993 / quickfy-website / security-auditor

security-auditor skill

not checked

/.claude/skills-main/skills-main/new_skills/security-auditor

npx playbooks add skill deve1993/quickfy-website --skill security-auditor

Review the files below or copy the command above to add this skill to your agents.

Files (4)

SKILL.md

4.9 KB

---
name: security-auditor
description: Expert in web security, XSS prevention, CSRF protection, Content Security Policy, authentication patterns, secure data handling, and dependency vulnerability scanning
allowed-tools:
  - Read
  - Write
  - Edit
  - Bash
  - Glob
  - Grep
  - Task
---

# Security Auditor

Expert skill for web application security. Specializes in XSS/CSRF prevention, CSP, authentication, secure coding practices, and vulnerability scanning.

## Core Capabilities

### 1. XSS Prevention
- **Input Sanitization**: Clean user input
- **Output Encoding**: Escape HTML/JS
- **React Auto-Escaping**: dangerouslySetInnerHTML
- **DOMPurify**: Sanitize HTML content
- **Content Security Policy**: Restrict scripts

### 2. CSRF Protection
- **CSRF Tokens**: Validate requests
- **SameSite Cookies**: Cookie security
- **Origin Verification**: Check request origin
- **Double Submit**: Cookie + header
- **State Parameter**: OAuth protection

### 3. Authentication & Authorization
- **JWT**: JSON Web Tokens
- **OAuth 2.0**: Third-party auth
- **Session Management**: Secure sessions
- **Password Hashing**: bcrypt, Argon2
- **MFA**: Multi-factor authentication
- **RBAC**: Role-based access control

### 4. Data Security
- **Encryption**: HTTPS, TLS
- **Sensitive Data**: Environment variables
- **Local Storage**: Avoid sensitive data
- **API Keys**: Secure storage
- **SQL Injection**: Parameterized queries
- **File Upload**: Validate and sanitize

### 5. Headers & CSP
- **Content-Security-Policy**: Restrict resources
- **X-Frame-Options**: Prevent clickjacking
- **X-Content-Type-Options**: MIME sniffing
- **Strict-Transport-Security**: Force HTTPS
- **Referrer-Policy**: Control referrer

### 6. Dependency Security
- **npm audit**: Check vulnerabilities
- **Snyk**: Continuous monitoring
- **Dependabot**: Auto-update deps
- **OWASP**: Security standards

## XSS Prevention

```tsx
// ✅ GOOD - React auto-escapes
function SafeComponent({ userInput }: { userInput: string }) {
  return <div>{userInput}</div>
}

// ❌ DANGEROUS - Don't use unless sanitized
function DangerousComponent({ html }: { html: string }) {
  return <div dangerouslySetInnerHTML={{ __html: html }} />
}

// ✅ GOOD - Sanitize with DOMPurify
import DOMPurify from 'dompurify'

function SafeHTML({ html }: { html: string }) {
  const clean = DOMPurify.sanitize(html)
  return <div dangerouslySetInnerHTML={{ __html: clean }} />
}
```

## Content Security Policy

```typescript
// CSP Headers
const cspDirectives = {
  'default-src': ["'self'"],
  'script-src': ["'self'", "'unsafe-inline'", 'https://cdn.example.com'],
  'style-src': ["'self'", "'unsafe-inline'"],
  'img-src': ["'self'", 'data:', 'https:'],
  'font-src': ["'self'", 'https://fonts.gstatic.com'],
  'connect-src': ["'self'", 'https://api.example.com'],
  'frame-ancestors': ["'none'"],
}

// Express middleware
app.use((req, res, next) => {
  res.setHeader(
    'Content-Security-Policy',
    Object.entries(cspDirectives)
      .map(([key, value]) => `${key} ${value.join(' ')}`)
      .join('; ')
  )
  next()
})
```

## Secure Authentication

```typescript
// JWT Authentication
import jwt from 'jsonwebtoken'

export function generateToken(userId: string): string {
  return jwt.sign(
    { userId },
    process.env.JWT_SECRET!,
    { expiresIn: '1h' }
  )
}

export function verifyToken(token: string) {
  try {
    return jwt.verify(token, process.env.JWT_SECRET!)
  } catch {
    return null
  }
}

// Secure cookie options
res.cookie('token', token, {
  httpOnly: true,
  secure: process.env.NODE_ENV === 'production',
  sameSite: 'strict',
  maxAge: 3600000,
})
```

## Input Validation

```typescript
// Validate and sanitize user input
import validator from 'validator'

export function validateEmail(email: string): boolean {
  return validator.isEmail(email)
}

export function sanitizeInput(input: string): string {
  return validator.escape(input)
}

// Zod schema validation
import { z } from 'zod'

const loginSchema = z.object({
  email: z.string().email(),
  password: z.string().min(8),
})

// Validate before processing
const result = loginSchema.safeParse(userInput)
if (!result.success) {
  throw new Error('Invalid input')
}
```

## Best Practices

- Never trust user input
- Use HTTPS everywhere
- Implement CSP headers
- Store secrets in environment variables
- Use secure cookie settings
- Regular dependency audits
- Implement rate limiting
- Log security events
- Keep dependencies updated

## When to Use This Skill

Use when you need to:
- Audit security vulnerabilities
- Implement XSS/CSRF protection
- Set up Content Security Policy
- Secure authentication flow
- Handle sensitive data
- Scan dependencies for vulnerabilities
- Review secure coding practices

## Output Format

Provide:
1. **Security Audit**: Identified vulnerabilities
2. **CSP Configuration**: Header setup
3. **Input Sanitization**: Validation code
4. **Authentication**: Secure auth implementation
5. **Dependency Report**: Vulnerability scan
6. **Best Practices**: Security checklist