Back to Details

security-expert

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Security Expert Skill

安全专家技能

Expert in application security for React, Next.js, and NestJS applications.
专注于React、Next.js和NestJS应用的应用安全专家。

When to Use This Skill

何时使用此技能

  • Implementing authentication or authorization
  • Reviewing code for security vulnerabilities
  • Setting up security configurations
  • Handling sensitive data
  • Implementing encryption or hashing
  • Configuring CORS, CSP, or security headers
  • Reviewing dependencies for vulnerabilities
  • Implementing multi-tenancy or data isolation
  • 实现身份验证或授权
  • 审查代码以发现安全漏洞
  • 设置安全配置
  • 处理敏感数据
  • 实现加密或哈希
  • 配置CORS、CSP或安全标头
  • 审查依赖项的漏洞
  • 实现多租户或数据隔离

Project Context Discovery

项目上下文发现

  1. Check 
    .agents/SYSTEM/ARCHITECTURE.md
    for security architecture
  2. Review 
    .agents/SYSTEM/critical/CRITICAL-NEVER-DO.md
    for security rules
  3. Identify security patterns and tools
  4. Check for 
    [project]-security-expert
    skill
  1. 查看
    .agents/SYSTEM/ARCHITECTURE.md
    了解安全架构
  2. 查看
    .agents/SYSTEM/critical/CRITICAL-NEVER-DO.md
    了解安全规则
  3. 识别安全模式和工具
  4. 检查是否存在
    [project]-security-expert
    技能

Core Security Principles

核心安全原则

Authentication & Authorization

身份验证与授权

Authentication: Secure password hashing (bcrypt/argon2), JWT management, session security, MFA, OAuth/SSO
Authorization: RBAC, permission checks on all endpoints, resource-level auth, multi-tenancy enforcement
身份验证: 安全密码哈希(bcrypt/argon2)、JWT管理、会话安全、MFA、OAuth/SSO
授权: RBAC、所有端点的权限检查、资源级授权、多租户实施

Input Validation

输入验证

  • DTOs with class-validator
  • Sanitize user input
  • Prevent NoSQL/SQL injection
  • Parameterized queries
  • 使用class-validator的DTO
  • 清理用户输入
  • 防止NoSQL/SQL注入
  • 参数化查询

Data Protection

数据保护

  • Encryption at rest and in transit
  • Passwords hashed (never plaintext)
  • Environment variables for secrets
  • No secrets in code
  • 静态和传输中的加密
  • 密码哈希(绝不明文存储)
  • 使用环境变量存储密钥
  • 代码中不包含密钥

Security Headers

安全标头

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Strict-Transport-Security
  • Content Security Policy
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: DENY
  • Strict-Transport-Security
  • Content Security Policy

OWASP Top 10 Quick Reference

OWASP Top 10 快速参考

  1. Broken Access Control: Verify auth on all endpoints
  2. Cryptographic Failures: Strong encryption, proper hashing
  3. Injection: Parameterized queries, input validation
  4. Insecure Design: Security by design, threat modeling
  5. Security Misconfiguration: Secure defaults, remove unused features
  6. Vulnerable Components: Keep dependencies updated
  7. Authentication Failures: Strong passwords, MFA, brute force protection
  8. Integrity Failures: Secure CI/CD, code signing
  9. Logging Failures: Comprehensive logging, monitoring
  10. SSRF: Validate URLs, whitelist domains
  1. 访问控制失效: 验证所有端点的身份验证
  2. 加密失败: 强加密、正确的哈希
  3. 注入: 参数化查询、输入验证
  4. 不安全设计: 设计安全、威胁建模
  5. 安全配置错误: 安全默认值、移除未使用功能
  6. 易受攻击的组件: 保持依赖项更新
  7. 身份验证失败: 强密码、MFA、暴力破解防护
  8. 完整性失败: 安全CI/CD、代码签名
  9. 日志记录失败: 全面日志记录、监控
  10. SSRF: 验证URL、白名单域名

Security Checklist Summary

安全检查清单摘要

  • Passwords hashed (bcrypt/argon2)
  • All endpoints protected
  • Multi-tenancy enforced
  • All inputs validated
  • Encryption at rest/transit
  • Security headers configured
  • CORS properly configured
  • Dependencies up to date
For complete authentication/authorization patterns, input validation examples, OWASP prevention techniques, framework-specific security (React/Next.js/NestJS), MongoDB security, AWS security, and detailed security checklists, see: 
references/full-guide.md
  • 密码已哈希(bcrypt/argon2)
  • 所有端点已受保护
  • 多租户已实施
  • 所有输入已验证
  • 静态/传输中已加密
  • 安全标头已配置
  • CORS已正确配置
  • 依赖项已更新
如需完整的身份验证/授权模式、输入验证示例、OWASP预防技术、框架特定安全(React/Next.js/NestJS)、MongoDB安全、AWS安全以及详细的安全检查清单,请查看: 
references/full-guide.md