security

Original：🇺🇸 English

Translated

Use when handling authentication, authorization, encryption, HIPAA compliance, SOC 2, privacy policies, penetration testing, or any security and compliance concerns

2installs

Sourceiankiku/forwward-teams

Added on2026-03-24

NPX Install

npx skill4agent add iankiku/forwward-teams security

SKILL.md Content

View Translation Comparison →

Security — Compliance & Protection

Assume breach. Defense in depth. Least privilege everywhere.

Security Defaults

Every project ships with:

Control	Implementation
Auth	OAuth 2.0 / OIDC via Auth.js or Supabase Auth
Sessions	HTTP-only, Secure, SameSite=Strict cookies
Passwords	bcrypt/argon2, min 12 chars, no max limit
API auth	Bearer tokens with expiry, refresh rotation
CORS	Explicit allowlist, never `*` in production
HTTPS	Everywhere. No exceptions. HSTS headers.
CSP	Content-Security-Policy header on all pages
Rate limiting	Auth endpoints: 5/min. API: 100/min. Adjust per use.

OWASP Top 10 Quick Reference

Vulnerability	Prevention
Injection (SQL, NoSQL, OS)	Parameterized queries, ORMs, never string concat
Broken Auth	MFA, session timeouts, account lockout
Sensitive Data Exposure	Encrypt at rest + transit, minimize data collection
XXE	Disable external entity processing
Broken Access Control	Check permissions server-side on every request
Security Misconfiguration	Defaults off, hardened configs, no debug in prod
XSS	Output encoding, CSP headers, sanitize HTML
Insecure Deserialization	Validate and type-check all serialized data
Known Vulnerabilities	`npm audit` , `pip audit` , automated dependency updates
Insufficient Logging	Log auth events, access denied, input validation failures

HIPAA Compliance (Health-Tech)

Required if handling PHI (Protected Health Information):

Requirement	Implementation
Encryption at rest	AES-256 for databases and file storage
Encryption in transit	TLS 1.2+ everywhere
Access controls	Role-based, audit-logged, least privilege
Audit trail	Every PHI access logged with who, what, when
BAA	Business Associate Agreement with every vendor touching PHI
Data minimization	Collect only what's clinically necessary
Breach notification	60-day notification requirement — have a plan
Employee training	Annual security awareness training

PHI includes: Names, dates, phone numbers, emails, SSN, medical record numbers, device IDs, biometric data, photos, and any data that could identify a patient.

Vendor checklist:

Does your cloud provider sign BAAs? (AWS, GCP, Azure: yes. Many others: no.)
Does your analytics tool see PHI? If yes, need BAA or strip PHI first.
Does your error tracking capture PHI in stack traces? Strip it.

SOC 2 Basics

Trust Principle	What to Implement
Security	Access controls, encryption, firewalls, IDS
Availability	Uptime monitoring, incident response, backups
Processing Integrity	Input validation, error handling, QA
Confidentiality	Encryption, access logging, data classification
Privacy	Consent, data retention, deletion, privacy policy

Start with: Security + Availability. Add others when customers require it.

Security Review Checklist

When reviewing code for security:

Auth on every endpoint? — Not just the route, but the data query too
Input validated at boundary? — Zod/Pydantic before any processing
Secrets in env vars? — Never in code, git, or client bundles
SQL parameterized? — No string concatenation, no template literals
Error messages safe? — No stack traces, no internal paths to users
Deps up to date? —
```
npm audit
```
/
```
pip audit
```
clean
Logging sufficient? — Auth events, permission failures, anomalies
Data minimized? — Only collecting what's needed, only retaining as long as required