Skill Gallery
Back to list
DanielPodolsky

security-fundamentals

by DanielPodolsky

AI-mentored development for junior engineers. Claude becomes your mentor, not your coder — guiding with questions, reviewing via 6 Gates, but YOU write every line. Less dependency, more ownership.

1🍴 0📅 Jan 25, 2026
ai-mentorshipclaude-codeeducationjunior-developerslearning
View on GitHubRun in Manus

SKILL.md

name: security-fundamentals description: | TRIGGERS: "is this secure?", "security review", "check for vulnerabilities", "auth check", "building auth", "implementing login", "storing passwords", "API keys", "user input", "adding authentication", "user credentials", "session handling", "token storage", authentication, authorization, input validation, SQL injection, XSS, OWASP, passwords, tokens, JWT. USE WHEN: Junior is BUILDING auth flows, handling user input, storing sensitive data, or working with APIs. PROVIDES: OWASP Top 10 checks, input validation patterns, auth best practices, security anti-patterns. PROACTIVE: Triggers when junior mentions building security-related features, not just reviewing.

Security Fundamentals Review

"Security is not a feature. It's a foundation. Build on sand, and the house falls."

When to Apply

Activate this skill when reviewing:

  • Authentication/login flows
  • Authorization checks
  • User input handling
  • Database queries
  • File uploads
  • API endpoints
  • Data exposure in responses

Review Checklist

Input Validation (NEVER Trust the Client)

  • All inputs validated: Is every user input checked before use?
  • Server-side validation: Is validation done on the server, not just client?
  • Type checking: Are expected types enforced?
  • Length limits: Are string lengths bounded?
  • Whitelist over blacklist: Are allowed values explicitly defined?

Authentication

  • Password hashing: Are passwords hashed (bcrypt, argon2), not encrypted?
  • No plaintext secrets: Are secrets in env vars, not code?
  • Token expiry: Do JWTs/sessions have reasonable expiration?
  • Secure transmission: Is HTTPS enforced?

Authorization

  • Ownership checks: Can users only access THEIR data?
  • Role verification: Are admin routes protected by role checks?
  • No client-side auth: Is authorization enforced server-side?

Data Exposure

  • Minimal response: Does the API return only necessary fields?
  • No sensitive data in URLs: Are tokens/IDs not in query strings?
  • No sensitive data in logs: Are passwords/tokens excluded from logs?

OWASP Top 10 Quick Check

1. Injection (SQL, NoSQL, Command)

❌ db.query(`SELECT * FROM users WHERE id = ${userId}`);

✅ db.query('SELECT * FROM users WHERE id = ?', [userId]);

2. Broken Authentication

❌ if (req.headers.admin === 'true') { /* allow admin */ }

✅ const user = await verifyToken(req.headers.authorization);
   if (user.role !== 'admin') throw new ForbiddenError();

3. Sensitive Data Exposure

❌ res.json({ user: { ...user, password, ssn } });

✅ res.json({ user: { id: user.id, name: user.name } });

4. Broken Access Control

❌ app.get('/users/:id', async (req, res) => {
     const user = await User.findById(req.params.id);
     res.json(user);
   });

✅ app.get('/users/:id', async (req, res) => {
     const user = await User.findById(req.params.id);
     if (user.id !== req.user.id && req.user.role !== 'admin') {
       throw new ForbiddenError();
     }
     res.json(user);
   });

5. Security Misconfiguration

❌ CORS: origin: '*'
❌ Detailed error messages in production
❌ Debug mode enabled in production

✅ CORS: origin: process.env.ALLOWED_ORIGINS
✅ Generic error messages to clients
✅ Debug mode disabled in production

6. Cross-Site Scripting (XSS)

❌ element.innerHTML = userInput;

✅ element.textContent = userInput;
✅ DOMPurify.sanitize(userInput);

Socratic Questions

Ask the junior these questions instead of giving answers:

  1. Trust: "What stops a malicious user from sending anything they want here?"
  2. Ownership: "How do you know this user owns this resource?"
  3. Exposure: "What's the worst thing that could happen if this endpoint is exposed?"
  4. Secrets: "If I git clone this repo, what secrets would I see?"
  5. Injection: "What if someone sends '; DROP TABLE users; -- as input?"

Red Flags to Call Out

FlagRiskQuestion
String concatenation in queriesSQL Injection"Can this input contain SQL?"
eval() or new Function()Code Injection"Why is dynamic code execution needed?"
innerHTML with user dataXSS"What if the user includes <script>?"
Passwords in logsData Leak"Who can see these logs?"
No rate limiting on authBrute Force"What stops someone from trying every password?"
CORS: *Security Bypass"Should any website be able to call this API?"
JWT with no expiryToken Theft"What happens if this token is stolen?"
IDs in URLsIDOR"Can user A access user B's data by changing the ID?"

Security Checklist Before Deploy

  1. All secrets in environment variables
  2. HTTPS enforced
  3. Input validation on all endpoints
  4. SQL/NoSQL injection prevented (parameterized queries)
  5. XSS prevented (output encoding)
  6. CSRF protection enabled
  7. Rate limiting on auth endpoints
  8. Sensitive data excluded from responses
  9. Authorization checks on every protected route
  10. Security headers set (helmet.js or equivalent)

Never Do This

ActionWhy
Store passwords in plaintextOne breach exposes all users
Put secrets in codeGit history is forever
Trust client-side validation onlyAnyone can bypass the client
Return full database objectsExposes internal fields
Log sensitive dataLogs get compromised too
Use md5 or sha1 for passwordsCryptographically broken

Score

Total Score

75/100

Based on repository quality metrics

SKILL.md

SKILL.mdファイルが含まれている

+20
LICENSE

ライセンスが設定されている

+10
説明文

100文字以上の説明がある

+10
人気

GitHub Stars 100以上

0/15
最近の活動

1ヶ月以内に更新

+10
フォーク

10回以上フォークされている

0/5
Issue管理

オープンIssueが50未満

+5
言語

プログラミング言語が設定されている

+5
タグ

1つ以上のタグが設定されている

+5

Reviews

💬

Reviews coming soon