Back to Details

security-checklist

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Checklist for AI Coding Assistants

AI编码助手安全检查清单

This is a strict guideline. Follow these rules exactly.
Critical security rules to follow when generating or modifying code.
这是一份严格的指南,请严格遵守以下规则。
生成或修改代码时需要遵守的关键安全规则:

Never Commit These Files

永远不要提交这些文件

Environment files with actual values:
.env
.env.local
.env.development
.env.production
.env.test
.env.*
Always commit templates (no actual values):
.env_TEMPLATE
.env.example
Required gitignore patterns:
gitignore
undefined
包含实际值的环境文件:
.env
.env.local
.env.development
.env.production
.env.test
.env.*
始终提交模板文件(无实际值):
.env_TEMPLATE
.env.example
必须添加到gitignore的匹配规则:
gitignore
undefined

Environment files

Environment files

.env .env.* !.env_TEMPLATE !.env.example
.env .env.* !.env_TEMPLATE !.env.example

AWS credentials

AWS credentials

.aws/credentials .aws/config
.aws/credentials .aws/config

SSH keys

SSH keys

*.pem id_rsa id_ed25519
undefined
*.pem id_rsa id_ed25519
undefined

Never Hardcode Secrets

永远不要硬编码密钥

❌ Never do this:
typescript
const apiKey = 'sk-1234567890abcdef';
const dbPassword = 'mypassword123';
const awsAccessKey = 'AKIAIOSFODNN7EXAMPLE';
✅ Always do this:
typescript
// Runtime: Load from environment
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY not set');

// Infrastructure: Reference from Secrets Manager/SSM
const secret = secretsmanager.Secret.fromSecretNameV2(
  this, 'ApiKey', 
  '/project/prod/api-key'
);
❌ 禁止这样做:
typescript
const apiKey = 'sk-1234567890abcdef';
const dbPassword = 'mypassword123';
const awsAccessKey = 'AKIAIOSFODNN7EXAMPLE';
✅ 推荐做法:
typescript
// Runtime: Load from environment
const apiKey = process.env.API_KEY;
if (!apiKey) throw new Error('API_KEY not set');

// Infrastructure: Reference from Secrets Manager/SSM
const secret = secretsmanager.Secret.fromSecretNameV2(
  this, 'ApiKey', 
  '/project/prod/api-key'
);

Secret Storage

密钥存储

Use appropriate AWS services:
  • Secrets Manager: Passwords, API keys, database credentials, tokens
  • SSM Parameter Store (SecureString): Sensitive configuration values
  • SSM Parameter Store (String): Non-sensitive configuration
Never:
  • Hardcode secrets in code
  • Commit secrets to git
  • Log secrets to console/CloudWatch
  • Pass secrets in URLs or query parameters
使用合适的AWS服务:
  • Secrets Manager:密码、API密钥、数据库凭证、令牌
  • SSM Parameter Store (SecureString):敏感配置值
  • SSM Parameter Store (String):非敏感配置
禁止行为:
  • 在代码中硬编码密钥
  • 将密钥提交到git
  • 将密钥输出到控制台/CloudWatch日志
  • 在URL或查询参数中传递密钥

Token Handling in Frontend

前端中的令牌处理

❌ Never expose sensitive tokens:
typescript
// Don't put backend API keys in frontend code
const token = 'secret-backend-token';
✅ Use appropriate auth methods:
typescript
// Use public API keys or user-specific tokens
const publicKey = process.env.NEXT_PUBLIC_API_KEY; // Public, safe to expose
const userToken = cookies.get('auth-token'); // User-specific, from auth flow
❌ 永远不要暴露敏感令牌:
typescript
// Don't put backend API keys in frontend code
const token = 'secret-backend-token';
✅ 使用合适的认证方式:
typescript
// Use public API keys or user-specific tokens
const publicKey = process.env.NEXT_PUBLIC_API_KEY; // Public, safe to expose
const userToken = cookies.get('auth-token'); // User-specific, from auth flow

Environment Variable Validation

环境变量校验

Always validate required secrets exist:
typescript
// At application startup
const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];
const missing = required.filter(key => !process.env[key]);

if (missing.length > 0) {
  throw new Error(`Missing required secrets: ${missing.join(', ')}`);
}
始终校验必填密钥是否存在:
typescript
// At application startup
const required = ['DATABASE_URL', 'API_KEY', 'JWT_SECRET'];
const missing = required.filter(key => !process.env[key]);

if (missing.length > 0) {
  throw new Error(`Missing required secrets: ${missing.join(', ')}`);
}

Code Review Checklist

代码评审检查清单

Before committing, verify:
  • No hardcoded passwords, API keys, or tokens
  • No 
    .env
    files with actual values
  • Gitignore includes all secret file patterns
  • Environment variables validated at startup
  • Secrets loaded from Secrets Manager/SSM in infrastructure
  • No secrets in console.log or error messages
  • Frontend only uses public API keys or user-specific tokens
提交前确认:
  • 没有硬编码的密码、API密钥或令牌
  • 没有包含实际值的
    .env
    文件
  • Gitignore包含所有涉密文件的匹配规则
  • 启动时已校验环境变量
  • 基础设施中的密钥从Secrets Manager/SSM加载
  • console.log或错误信息中没有密钥
  • 前端仅使用公开API密钥或用户专属令牌

When in Doubt

如有疑问

Stop and ask if:
  • You're about to commit a file with "key", "secret", "password", or "token" in the content
  • You're hardcoding any credential or sensitive value
  • You're unsure if a value should be in git or environment variables
Default to secure: If uncertain whether something is sensitive, treat it as a secret.
Related:
  • Core Principles - Security Baseline
  • SSM Parameter Store Configuration
请停止操作并询问,如果出现以下情况:
  • 你即将提交内容中包含"key"、"secret"、"password"或"token"的文件
  • 你正在硬编码任何凭证或敏感值
  • 你不确定某个值应该放在git还是环境变量中
默认遵循安全原则:如果不确定某内容是否敏感,请将其作为密钥处理。
相关内容
  • 核心原则 - 安全基线
  • SSM参数存储配置

Progressive Improvement

持续改进

If the developer corrects a behavior that this skill should have prevented, suggest a specific amendment to this skill to prevent the same correction in the future.
如果开发者修正了本规范本应避免的错误行为,请提出针对本规范的具体修订建议,避免未来再出现同类问题。