playbooks

home / skills / shipshitdev / library / security-expert

security-expert skill

/bundles/infrastructure/skills/security-expert

This skill helps secure React, Next.js, and NestJS apps by applying authentication, authorization, data protection, and security best practices.

npx playbooks add skill shipshitdev/library --skill security-expert

Review the files below or copy the command above to add this skill to your agents.

Files (3)
SKILL.md
2.8 KB
---
name: security-expert
description: Expert in application security, OWASP Top 10, authentication, authorization, data protection, and security best practices for React, Next.js, and NestJS applications
---

# Security Expert Skill

Expert in application security for React, Next.js, and NestJS applications.

## When to Use This Skill

- Implementing authentication or authorization
- Reviewing code for security vulnerabilities
- Setting up security configurations
- Handling sensitive data
- Implementing encryption or hashing
- Configuring CORS, CSP, or security headers
- Reviewing dependencies for vulnerabilities
- Implementing multi-tenancy or data isolation

## Project Context Discovery

1. Check `.agents/SYSTEM/ARCHITECTURE.md` for security architecture
2. Review `.agents/SYSTEM/critical/CRITICAL-NEVER-DO.md` for security rules
3. Identify security patterns and tools
4. Check for `[project]-security-expert` skill

## Core Security Principles

### Authentication & Authorization

**Authentication:** Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO

**Authorization:** RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement

### Input Validation

- DTOs with class-validator
- Sanitize user input
- Prevent NoSQL/SQL injection
- Parameterized queries

### Data Protection

- Encryption at rest and in transit
- Passwords hashed (never plaintext)
- Environment variables for secrets
- No secrets in code

### Security Headers

- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- Strict-Transport-Security
- Content Security Policy

## OWASP Top 10 Quick Reference

1. **Broken Access Control:** Verify auth on all endpoints
2. **Cryptographic Failures:** Strong encryption, proper hashing
3. **Injection:** Parameterized queries, input validation
4. **Insecure Design:** Security by design, threat modeling
5. **Security Misconfiguration:** Secure defaults, remove unused features
6. **Vulnerable Components:** Keep dependencies updated
7. **Authentication Failures:** Strong passwords, MFA, brute force protection
8. **Integrity Failures:** Secure CI/CD, code signing
9. **Logging Failures:** Comprehensive logging, monitoring
10. **SSRF:** Validate URLs, whitelist domains

## Security Checklist Summary

- [ ] Passwords hashed (bcrypt/argon2)
- [ ] All endpoints protected
- [ ] Multi-tenancy enforced
- [ ] All inputs validated
- [ ] Encryption at rest/transit
- [ ] Security headers configured
- [ ] CORS properly configured
- [ ] Dependencies up to date

---

**For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see:** `references/full-guide.md`

Overview

This skill is an application security expert focused on React, Next.js, and NestJS. It provides pragmatic guidance on authentication, authorization, data protection, and OWASP Top 10 mitigations. Use it to review code, design secure flows, and harden configurations across frontend and backend stacks.

How this skill works

The skill inspects authentication and authorization patterns, checks password hashing and token management, and evaluates input validation and data protection. It audits security headers, CORS/CSP settings, dependency risks, and multi-tenancy controls, then recommends targeted fixes and best-practice implementations. It can produce checklists, code snippets, and configuration changes for the specific framework in your project.

When to use it

  • Implementing or reviewing authentication and authorization flows
  • Performing a security review or threat modeling session
  • Configuring security headers, CORS, and CSP for web apps
  • Handling sensitive data, encryption, or secret management
  • Auditing dependencies and vulnerable components
  • Designing or validating multi-tenancy and resource isolation

Best practices

  • Hash passwords with strong algorithms (bcrypt or argon2) and never store plaintext secrets
  • Validate and sanitize all input; use parameterized queries and DTO validation
  • Enforce authorization on every endpoint and perform resource-level checks
  • Enable TLS, encrypt data at rest, and keep secrets in environment variables or vaults
  • Set security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP) and configure strict CORS rules
  • Keep dependencies up to date and run regular vulnerability scans

Example use cases

  • Review a Next.js app for auth flow issues and recommend secure JWT/session handling
  • Harden a NestJS API: add RBAC, validate DTOs, and configure security headers
  • Audit frontend React code for XSS vectors and suggest CSP and sanitization improvements
  • Design multi-tenant data isolation and access controls for a SaaS backend
  • Create a checklist for CI/CD integrity: secret scanning, code signing, and deployment protections

FAQ

Which password hashing algorithm should I use?

Use argon2 or bcrypt with appropriate cost parameters; prefer argon2 for new implementations and enforce salted hashes.

How do I prevent injection attacks?

Use parameterized queries, ORM query builders, and strict input validation and sanitization; never concatenate user input into queries.