Agent Skills
› NeverSight/learn-skills.dev
› security-hardening
security-hardening
GitHub提供安全加固与编码实践指南,涵盖OWASP Top 10漏洞防护、输入验证、输出编码及安全配置。用于解决SQL注入、XSS等安全问题,确保应用符合安全最佳实践。
Trigger Scenarios
用户要求加固安全或进行安全编码
提及OWASP漏洞、输入验证、防SQL注入或XSS保护
咨询CORS安全、安全头设置或漏洞扫描
Install
npx skills add NeverSight/learn-skills.dev --skill security-hardening -g -y
SKILL.md
Frontmatter
{
"name": "security-hardening",
"description": "Security hardening and secure coding practices. Use when user asks to \"harden security\", \"secure coding\", \"OWASP vulnerabilities\", \"input validation\", \"sanitization\", \"SQL injection prevention\", \"XSS protection\", \"CORS security\", \"secure headers\", \"vulnerability scanning\", or mentions security best practices and threat mitigation."
}
Security Hardening & Secure Coding
Comprehensive security hardening and secure coding practices to prevent common vulnerabilities.
OWASP Top 10 (2021)
1. Broken Access Control
- Implement proper authorization
- Use role-based access control (RBAC)
- Verify permissions on every request
2. Cryptographic Failures
- Use strong encryption (AES-256)
- Protect sensitive data in transit (TLS)
- Never hardcode secrets
3. Injection
- Use parameterized queries for SQL
- Validate and sanitize all inputs
- Use ORM frameworks
4. Insecure Design
- Threat modeling during design
- Secure by default principles
- Regular security reviews
5. Security Misconfiguration
- Keep dependencies updated
- Remove default credentials
- Disable unnecessary features
6. Vulnerable Components
- Regular dependency audits
- Use vulnerability scanning tools
- Keep frameworks and libraries updated
7. Authentication & Session Failures
- Strong password policies
- Multi-factor authentication
- Secure session management
8. Software & Data Integrity Failures
- Verify package integrity
- Use signed commits
- Implement secure CI/CD
9. Logging & Monitoring Failures
- Log security events
- Monitor for suspicious activity
- Regular security audits
10. SSRF
- Validate URLs and redirects
- Restrict outbound requests
- Network-level controls
Secure Coding Practices
Input Validation
// Bad
const id = req.query.id;
const user = db.query(`SELECT * FROM users WHERE id = ${id}`);
// Good
const id = parseInt(req.query.id, 10);
if (!Number.isInteger(id) || id < 1) {
throw new Error('Invalid ID');
}
const user = db.query('SELECT * FROM users WHERE id = ?', [id]);
Output Encoding
// Bad
const html = `<div>${userName}</div>`;
// Good (escapes HTML)
const escapeHtml = (str) => str
.replace(/&/g, '&')
.replace(/</g, '<')
.replace(/>/g, '>')
.replace(/"/g, '"');
const html = `<div>${escapeHtml(userName)}</div>`;
Secure Headers
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Security Checklist
- All inputs validated and sanitized
- Parameterized queries used (no SQL injection)
- Sensitive data encrypted (TLS, at-rest)
- Strong authentication (MFA, strong passwords)
- CORS properly configured
- CSRF tokens used
- Security headers set
- Dependencies audited regularly
- Error messages don't leak info
- Logging captures security events
- Secrets not in code/logs
- Regular security testing
Tools & Utilities
npm audit/pip check- Dependency scanning- OWASP ZAP / Burp Suite - Penetration testing
- Snyk - Vulnerability scanning
- SonarQube - Code quality and security
- TruffleHog - Secret scanning
References
- OWASP Top 10
- OWASP Cheat Sheets
- CWE/SANS Top 25
- NIST Cybersecurity Framework
- Google Styleguide Code Review Security
Version History
- e0220ca Current 2026-07-05 20:44


