Security And Hardening
Apply security-first constraints while building auth, input handling, integrations, and data storage so agents do not ship obvious vulnerabilities.
Overview
security-and-hardening is a journey-wide agent skill that hardens web features against common vulnerabilities—usable whenever a solo builder accepts untrusted data, sessions, or third-party calls before committing.
Install
npx skills add https://github.com/addyosmani/agent-skills --skill security-and-hardeningWhat is this skill?
- Three-tier boundary system with non-negotiable Always Do practices at every external input surface
- Mandatory parameterized queries, output encoding, HTTPS, and modern password hashing (bcrypt/scrypt/argon2)
- Session hardening: httpOnly, secure, sameSite cookies plus CSP, HSTS, X-Frame-Options, X-Content-Type-Options
- Trigger coverage: authZ, file uploads, webhooks, payments, and PII handling
- Dependency hygiene via npm audit (or equivalent) as a standing gate
- Always Do list with 8+ non-negotiable practices in the overview
Adoption & trust: 4.2k installs on skills.sh; 49.1k GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+200% hot-view momentum).
What problem does it solve?
You are shipping user-facing features fast with an agent and need a repeatable guardrail so input, auth, and integrations do not introduce XSS, injection, or session leaks.
Who is it for?
Indie SaaS and API builders using Claude Code or Cursor who want secure defaults while implementing forms, login, webhooks, or payments.
Skip if: Purely internal scripts with no external input, or teams that already run a formal SSDLC with dedicated AppSec sign-off and do not need agent checklists.
When should I use this skill?
Use when handling user input, authentication, data storage, or external integrations; when building any feature that accepts untrusted data, manages user sessions, or interacts with third-party services.
What do I get? / Deliverables
Each change set follows boundary validation, safe storage and transport defaults, and header/cookie policies so the feature is closer to production-safe before review or deploy.
- Security-aligned implementation notes per feature (validation, headers, cookies)
- Checklist pass over auth, storage, and integration boundaries
- Documented dependency audit action items before ship
Recommended Skills
Journey fit
Useful at every journey phase - explore requirements and options before committing to a direction.
Where it fits
Parameterize new Prisma/raw queries and add boundary validation on a signup API route.
Verify webhook signature handling and least-privilege secrets before enabling a billing provider callback.
Set CSP and HSTS plus cookie flags before exposing admin sessions to production traffic.
Re-run npm audit and patch transitive deps after a reported auth bypass in a dependency.
Reject storing PII in localStorage during a quick MVP that later must pass basic AppSec review.
How it compares
Skill checklist for secure implementation—not an MCP scanner and not a substitute for org-wide compliance frameworks.
Common Questions / FAQ
Who is security-and-hardening for?
Solo and indie web builders who use coding agents and need concrete secure defaults at API routes, forms, sessions, and integrations.
When should I use security-and-hardening?
Use it in Build while coding features, in Ship before release review, and in Operate when adding webhooks or handling incidents involving auth or data exposure.
Is security-and-hardening safe to install?
The skill is documentation-only guidance; review the Security Audits panel on this Prism page and your repo’s supply chain before installing third-party agent skills.
SKILL.md
READMESKILL.md - Security And Hardening
# Security and Hardening ## Overview Security-first development practices for web applications. Treat every external input as hostile, every secret as sacred, and every authorization check as mandatory. Security isn't a phase — it's a constraint on every line of code that touches user data, authentication, or external systems. ## When to Use - Building anything that accepts user input - Implementing authentication or authorization - Storing or transmitting sensitive data - Integrating with external APIs or services - Adding file uploads, webhooks, or callbacks - Handling payment or PII data ## The Three-Tier Boundary System ### Always Do (No Exceptions) - **Validate all external input** at the system boundary (API routes, form handlers) - **Parameterize all database queries** — never concatenate user input into SQL - **Encode output** to prevent XSS (use framework auto-escaping, don't bypass it) - **Use HTTPS** for all external communication - **Hash passwords** with bcrypt/scrypt/argon2 (never store plaintext) - **Set security headers** (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) - **Use httpOnly, secure, sameSite cookies** for sessions - **Run `npm audit`** (or equivalent) before every release ### Ask First (Requires Human Approval) - Adding new authentication flows or changing auth logic - Storing new categories of sensitive data (PII, payment info) - Adding new external service integrations - Changing CORS configuration - Adding file upload handlers - Modifying rate limiting or throttling - Granting elevated permissions or roles ### Never Do - **Never commit secrets** to version control (API keys, passwords, tokens) - **Never log sensitive data** (passwords, tokens, full credit card numbers) - **Never trust client-side validation** as a security boundary - **Never disable security headers** for convenience - **Never use `eval()` or `innerHTML`** with user-provided data - **Never store sessions in client-accessible storage** (localStorage for auth tokens) - **Never expose stack traces** or internal error details to users ## OWASP Top 10 Prevention ### 1. Injection (SQL, NoSQL, OS Command) ```typescript // BAD: SQL injection via string concatenation const query = `SELECT * FROM users WHERE id = '${userId}'`; // GOOD: Parameterized query const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]); // GOOD: ORM with parameterized input const user = await prisma.user.findUnique({ where: { id: userId } }); ``` ### 2. Broken Authentication ```typescript // Password hashing import { hash, compare } from 'bcrypt'; const SALT_ROUNDS = 12; const hashedPassword = await hash(plaintext, SALT_ROUNDS); const isValid = await compare(plaintext, hashedPassword); // Session management app.use(session({ secret: process.env.SESSION_SECRET, // From environment, not code resave: false, saveUninitialized: false, cookie: { httpOnly: true, // Not accessible via JavaScript secure: true, // HTTPS only sameSite: 'lax', // CSRF protection maxAge: 24 * 60 * 60 * 1000, // 24 hours }, })); ``` ### 3. Cross-Site Scripting (XSS) ```typescript // BAD: Rendering user input as HTML element.innerHTML = userInput; // GOOD: Use framework auto-escaping (React does this by default) return <div>{userInput}</div>; // If you MUST render HTML, sanitize first import DOMPurify from 'dompurify'; const clean = DOMPurify.sanitize(userInput); ``` ### 4. Broken Access Control ```typescript // Always check authorization, not just authentication app.patch('/api/tasks/:id', authenticate, async (req, res) => { const task = await taskService.findById(req.params.id); // Check that the authenticate