Security

Security is built-in, not bolted-on. Every feature, endpoint, and data flow must consider security implications.

OWASP Top 10 (2025)

#	Vulnerability	Prevention
1	Broken Access Control	Verify permissions server-side, default deny
2	Security Misconfiguration	Secure defaults, remove unused features
3	Software Supply Chain Failures	SBOM, dependency scanning, signed builds
4	Cryptographic Failures	Use TLS, hash passwords (argon2id), encrypt PII
5	Injection	Parameterized queries, input validation
6	Insecure Design	Threat modeling, security requirements
7	Authentication Failures	Strong passwords, MFA, secure session mgmt
8	Software or Data Integrity	Verify dependencies, sign releases
9	Logging and Alerting Failures	Log security events, set up alerts
10	Mishandling Exceptional Conditions	Fail securely, generic errors to clients

Security Principles

Principle	Rule
Defense in Depth	Multiple layers: firewall, auth, authz, encryption, audit
Least Privilege	Minimum permissions needed, nothing more
Zero Trust	Never trust, always verify. Assume breach.
Secure by Default	HTTPS, strict passwords, secure cookies out of the box
Fail Securely	Access denied on error, no internal details to users
Validate on Server	Client validation is UX, server validation is security

Pre-Deployment Checklist

Area	Requirements
Passwords	Hashed with argon2id (preferred) or bcrypt (12+ rounds)
Tokens	JWT with EdDSA/ES256, 15min access / 7d refresh, httpOnly cookies
Sessions	HttpOnly, Secure, SameSite=Strict cookies
Rate Limiting	Auth endpoints: 5 attempts/15min
Authorization	All routes check auth server-side, default deny
Input	Validated with schema (Zod), parameterized SQL
Uploads	Whitelist types, enforce size limits
Secrets	No secrets in code or VCS
Headers	CSP (with nonces), HSTS, Permissions-Policy, X-Content-Type-Options
CORS	Configured restrictively
Encryption	PII encrypted at rest (AES-256) and in transit (TLS 1.3)
Logging	Audit logging for security events
Dependencies	SBOM generated, `npm audit` clean, Dependabot enabled

Threat Modeling (STRIDE)

Threat	Category	Key Mitigations
Spoofing	Authentication	MFA, strong passwords, JWT with short expiry
Tampering	Integrity	Input validation, HTTPS/TLS, signed tokens
Repudiation	Accountability	Audit logging, digital signatures
Info Disclosure	Confidentiality	Encryption, least privilege, secret management
Denial of Service	Availability	Rate limiting, input validation, CDN/DDoS protection
Elevation of Privilege	Authorization	Authz checks on every request, ABAC, permission audits

Risk Levels

Level	Action
Critical	Immediate action required
High	Address before launch
Medium	Address post-launch
Low	Monitor, may accept risk

Compliance Overview

Framework	Scope	Key Requirements
GDPR	EU data subjects	Consent, data subject rights, breach notification (72h), DPIA
HIPAA	US healthcare data	PHI encryption, RBAC, audit logs, BAA with providers
SOC 2	SaaS customer data	Security policies, MFA, encryption, incident response
PCI-DSS	Credit card data	Use payment processor (Stripe), tokenization, network segmentation

Anti-Patterns

Anti-Pattern	Fix
Security as afterthought	Integrate from design phase
Client-side authorization	Always verify permissions server-side
Trusting client data (e.g., userId from body)	Get user ID from authenticated session
Rolling your own crypto	Use proven libraries (argon2, bcrypt, libsodium)
Compliance = security	Compliance is the minimum; security is ongoing
Verbose error responses	Generic messages to clients, details server-side

Common Mistakes

Mistake	Correct Pattern
Performing authorization checks only on the client side	Always verify permissions server-side; client checks are UX only
Trusting user-supplied IDs from request body (e.g., userId)	Derive user identity from the authenticated session or token
Rolling custom cryptography instead of using proven libraries	Use argon2id, bcrypt, or libsodium for all cryptographic operations
Treating compliance certification as equivalent to security	Compliance is the minimum bar; security requires ongoing review
Returning verbose error messages with stack traces to clients	Show generic messages to clients; log details server-side only

Delegation

Scan codebase for OWASP Top 10 vulnerabilities and insecure patterns: Use
```
Explore
```
agent to search for SQL injection, XSS, and hardcoded secrets
Implement authentication, authorization, and security headers end-to-end: Use
```
Task
```
agent to configure JWT, RBAC, CSP, HSTS, and rate limiting
Design a threat model and security architecture for new features: Use
```
Plan
```
agent to apply STRIDE methodology and map trust boundaries

For database-layer security (RLS policies, Postgres/Supabase hardening, audit trails), use the
database-security
skill. For AI/LLM security (prompt injection defense, agentic zero-trust, MCP tool hardening), use the
secure-ai
skill.

References

Threat Modeling — STRIDE methodology, risk assessment process, trust boundaries
Authentication and Authorization — JWT, session-based, OAuth, RBAC, ABAC, IDOR protection
API Security — OWASP API Security Top 10, object-level authorization, rate limiting, SSRF prevention, security testing
Input Validation — SQL injection, XSS, command injection, path traversal, Zod validation, file upload security
Data Protection — Password hashing (argon2id/bcrypt), AES-256-GCM encryption, secrets management
Secure Configuration — Security headers, CORS, Express hardening, rate limiting
Supply Chain Security — SBOM generation, dependency scanning, CI/CD hardening, artifact signing
Monitoring and Compliance — Audit logging, error handling, GDPR/HIPAA/SOC2/PCI-DSS, troubleshooting

application-security

NPX Install

Tags

SKILL.md Content

Security

OWASP Top 10 (2025)

Security Principles

Pre-Deployment Checklist

Threat Modeling (STRIDE)

Risk Levels

Compliance Overview

Anti-Patterns

Common Mistakes

Delegation

References