playbooks

home / skills / williamzujkowski / standards / input-validation

input-validation skill

/skills/security/input-validation

This skill helps you enforce secure input validation in Python applications, applying best-practice patterns, thorough testing, and maintainable, observable

npx playbooks add skill williamzujkowski/standards --skill input-validation

Review the files below or copy the command above to add this skill to your agents.

Files (4)
SKILL.md
2.0 KB
---
name: input-validation
description: Input-Validation standards for input validation in Security environments.
---

# Input Validation

> **Quick Navigation:**
> Level 1: [Quick Start](#level-1-quick-start) (5 min) → Level 2: [Implementation](#level-2-implementation) (30 min) → Level 3: [Mastery](#level-3-mastery-resources) (Extended)

---

## Level 1: Quick Start

### Core Principles

1. **Best Practices**: Follow industry-standard patterns for security
2. **Security First**: Implement secure defaults and validate all inputs
3. **Maintainability**: Write clean, documented, testable code
4. **Performance**: Optimize for common use cases

### Essential Checklist

- [ ] Follow established patterns for security
- [ ] Implement proper error handling
- [ ] Add comprehensive logging
- [ ] Write unit and integration tests
- [ ] Document public interfaces

### Quick Links to Level 2

- [Core Concepts](#core-concepts)
- [Implementation Patterns](#implementation-patterns)
- [Common Pitfalls](#common-pitfalls)

---

## Level 2: Implementation

### Core Concepts

This skill covers essential practices for security.

**Key areas include:**

- Architecture patterns
- Implementation best practices
- Testing strategies
- Performance optimization

### Implementation Patterns

Apply these patterns when working with security:

1. **Pattern Selection**: Choose appropriate patterns for your use case
2. **Error Handling**: Implement comprehensive error recovery
3. **Monitoring**: Add observability hooks for production

### Common Pitfalls

Avoid these common mistakes:

- Skipping validation of inputs
- Ignoring edge cases
- Missing test coverage
- Poor documentation

---

## Level 3: Mastery Resources

### Reference Materials

- [Related Standards](../../docs/standards/)
- [Best Practices Guide](../../docs/guides/)

### Templates

See the `templates/` directory for starter configurations.

### External Resources

Consult official documentation and community best practices for security.

Overview

This skill defines input-validation standards for secure software development in Python environments. It gives concise, battle-tested patterns to start projects quickly with secure defaults, testability, and performance in mind. The guidance is focused on practical, production-proven checks and implementation patterns.

How this skill works

The skill inspects common input sources and prescribes validation rules, error handling, logging, and testing strategies to reduce attack surface and prevent common failures. It presents levels from Quick Start to Mastery: core principles, implementation patterns, and resources for deepening expertise. Use the patterns to integrate validation into architecture, add observability, and enforce secure defaults across services.

When to use it

  • At project start to set secure defaults for inputs
  • Before exposing any public API or user-facing endpoint
  • During code reviews to evaluate input handling and error management
  • When writing unit and integration tests that exercise input boundaries
  • When hardening services for production observability and monitoring

Best practices

  • Validate all external inputs using allowlists and type checks rather than blacklists
  • Fail securely: return safe defaults and avoid leaking internal state in errors
  • Log validation failures with context but without sensitive data
  • Write focused unit and integration tests covering edge cases and malformed inputs
  • Use layered validation: boundary checks, schema validation, and business-rule enforcement

Example use cases

  • Define request payload schemas and enforce them at the web framework boundary
  • Implement CLI argument parsing with strict type and range checks
  • Harden RPC and message consumers by validating message formats and metadata before processing
  • Add observability hooks that emit metrics and structured logs for validation failures
  • Create reusable validation utilities and include them in CI tests to prevent regressions

FAQ

What should I validate first, shape or semantics?

Start with shape and type (schema) at the boundary, then validate semantics and business rules once data is parsed and typed.

How do I avoid logging secrets during validation failures?

Mask or redact sensitive fields before logging and restrict logs to contextual metadata rather than raw payloads.