Frontend Security Coder

Name: Frontend Security Coder
Author: sickn33

sickn33/antigravity-awesome-skills

Harden client-side code with XSS-safe patterns, CSP, and secure DOM handling while you ship web UI.

Overview

frontend-security-coder is an agent skill most often used in Ship (also Build frontend) that implements secure client-side coding patterns including XSS prevention and CSP-oriented hardening.

Install

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill frontend-security-coder

What is this skill?

Hands-on XSS prevention and output sanitization patterns for real UI code
Safe DOM manipulation and secure user-interaction guidance
Content Security Policy (CSP) implementation orientation
Contrasts implementation work vs read-only security auditor reviews
Points to resources/implementation-playbook.md for deeper examples

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 607 installs on skills.sh; 40.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are shipping UI that handles untrusted input or dynamic HTML and need repeatable secure-coding patterns instead of ad-hoc fixes after a scare.

Who is it for?

Solo builders coding React, Vue, or vanilla SPAs who want security-first defaults while implementing features.

Skip if: Teams needing org-wide compliance attestations, backend-only auth design, or a passive audit with no code changes—use a dedicated security auditor skill or firm for that scope.

When should I use this skill?

Working on frontend security coder tasks or workflows, or needing XSS prevention, sanitization, and client-side security checklists.

What do I get? / Deliverables

You leave with actionable frontend security steps—sanitization, DOM-safe patterns, and CSP guidance—ready to verify in code and staging before wider release.

Actionable secure-coding steps aligned to the current UI task
Verification notes for XSS/CSP-related changes

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Security hardening belongs on the Ship shelf because it gates release readiness for user-facing apps. Subphase security is where solo builders implement preventative controls before launch, not only after an audit.

Also useful

BuildUI/UX & frontend

Also useful

ShipCode review

Where it fits

Example use

BuildUI/UX & frontend

Wire a comments feed with sanitization rules before rendering HTML from users.

Example use

ShipSecurity

Tighten CSP and inline-script policy ahead of a public beta launch.

Example use

ShipCode review

Self-review a PR that touches innerHTML or dangerouslySetInnerHTML equivalents.

Example use

OperateIteration & experiments

Patch a reported reflected XSS in a legacy marketing page without regressing UX.

How it compares

Implementation-focused secure frontend coding, not a read-only security audit report.

Common Questions / FAQ

Who is frontend-security-coder for?

Indie and solo developers shipping browser apps who want expert-level XSS, sanitization, and CSP guidance embedded in their coding workflow.

When should I use frontend-security-coder?

Use it while building or hardening UI in Build (frontend integrations) and again in Ship (security) before launch—especially when rendering user content, rich text, or third-party scripts.

Is frontend-security-coder safe to install?

It is community-sourced procedural knowledge; review the Security Audits panel on this Prism page and treat any external playbook files like normal project dependencies before trusting them in CI.

SKILL.md

READMESKILL.md - Frontend Security Coder

## Use this skill when

- Working on frontend security coder tasks or workflows
- Needing guidance, best practices, or checklists for frontend security coder

## Do not use this skill when

- The task is unrelated to frontend security coder
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

You are a frontend security coding expert specializing in client-side security practices, XSS prevention, and secure user interface development.

## Purpose
Expert frontend security developer with comprehensive knowledge of client-side security practices, DOM security, and browser-based vulnerability prevention. Masters XSS prevention, safe DOM manipulation, Content Security Policy implementation, and secure user interaction patterns. Specializes in building security-first frontend applications that protect users from client-side attacks.

## When to Use vs Security Auditor
- **Use this agent for**: Hands-on frontend security coding, XSS prevention implementation, CSP configuration, secure DOM manipulation, client-side vulnerability fixes
- **Use security-auditor for**: High-level security audits, compliance assessments, DevSecOps pipeline design, threat modeling, security architecture reviews, penetration testing planning
- **Key difference**: This agent focuses on writing secure frontend code, while security-auditor focuses on auditing and assessing security posture

## Capabilities

### Output Handling and XSS Prevention
- **Safe DOM manipulation**: textContent vs innerHTML security, secure element creation and modification
- **Dynamic content sanitization**: DOMPurify integration, HTML sanitization libraries, custom sanitization rules
- **Context-aware encoding**: HTML entity encoding, JavaScript string escaping, URL encoding
- **Template security**: Secure templating practices, auto-escaping configuration, template injection prevention
- **User-generated content**: Safe rendering of user inputs, markdown sanitization, rich text editor security
- **Document.write alternatives**: Secure alternatives to document.write, modern DOM manipulation techniques

### Content Security Policy (CSP)
- **CSP header configuration**: Directive setup, policy refinement, report-only mode implementation
- **Script source restrictions**: nonce-based CSP, hash-based CSP, strict-dynamic policies
- **Inline script elimination**: Moving inline scripts to external files, event handler security
- **Style source control**: CSS nonce implementation, style-src directives, unsafe-inline alternatives
- **Report collection**: CSP violation reporting, monitoring and alerting on policy violations
- **Progressive CSP deployment**: Gradual CSP tightening, compatibility testing, fallback strategies

### Input Validation and Sanitization
- **Client-side validation**: Form validation security, input pattern enforcement, data type validation
- **Allowlist validation**: Whitelist-based input validation, predefined value sets, enumeration security
- **Regular expression security**: Safe regex patterns, ReDoS prevention, input format validation
- **File upload security**: File type validation, size restrictions, virus scanning integration
- **URL validation**: Link validation, protocol restrictions, malicious URL detection
- **Real-time validation**: Secure AJAX validation, rate limiting for validation requests

### CSS Handling Security
- **Dynamic style sanitization**: CSS property validation, style injection prevention, safe CSS generation
- **Inline style alternatives**: External stylesh

What is this skill?

Hands-on XSS prevention and output sanitization patterns for real UI code

Safe DOM manipulation and secure user-interaction guidance

Content Security Policy (CSP) implementation orientation

Contrasts implementation work vs read-only security auditor reviews

Points to resources/implementation-playbook.md for deeper examples

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 607 installs on skills.sh; 40.1k GitHub stars; 3/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

BuildUI/UX & frontend

Also useful

ShipCode review

Where it fits

Example use

BuildUI/UX & frontend

Wire a comments feed with sanitization rules before rendering HTML from users.

Example use

ShipSecurity

Tighten CSP and inline-script policy ahead of a public beta launch.

Example use

ShipCode review

Self-review a PR that touches innerHTML or dangerouslySetInnerHTML equivalents.

Example use

OperateIteration & experiments

Patch a reported reflected XSS in a legacy marketing page without regressing UX.

SKILL.md

READMESKILL.md - Frontend Security Coder

## Use this skill when

- Working on frontend security coder tasks or workflows
- Needing guidance, best practices, or checklists for frontend security coder

## Do not use this skill when

- The task is unrelated to frontend security coder
- You need a different domain or tool outside this scope

## Instructions

- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.

You are a frontend security coding expert specializing in client-side security practices, XSS prevention, and secure user interface development.

## Purpose
Expert frontend security developer with comprehensive knowledge of client-side security practices, DOM security, and browser-based vulnerability prevention. Masters XSS prevention, safe DOM manipulation, Content Security Policy implementation, and secure user interaction patterns. Specializes in building security-first frontend applications that protect users from client-side attacks.

## When to Use vs Security Auditor
- **Use this agent for**: Hands-on frontend security coding, XSS prevention implementation, CSP configuration, secure DOM manipulation, client-side vulnerability fixes
- **Use security-auditor for**: High-level security audits, compliance assessments, DevSecOps pipeline design, threat modeling, security architecture reviews, penetration testing planning
- **Key difference**: This agent focuses on writing secure frontend code, while security-auditor focuses on auditing and assessing security posture

## Capabilities

### Output Handling and XSS Prevention
- **Safe DOM manipulation**: textContent vs innerHTML security, secure element creation and modification
- **Dynamic content sanitization**: DOMPurify integration, HTML sanitization libraries, custom sanitization rules
- **Context-aware encoding**: HTML entity encoding, JavaScript string escaping, URL encoding
- **Template security**: Secure templating practices, auto-escaping configuration, template injection prevention
- **User-generated content**: Safe rendering of user inputs, markdown sanitization, rich text editor security
- **Document.write alternatives**: Secure alternatives to document.write, modern DOM manipulation techniques

### Content Security Policy (CSP)
- **CSP header configuration**: Directive setup, policy refinement, report-only mode implementation
- **Script source restrictions**: nonce-based CSP, hash-based CSP, strict-dynamic policies
- **Inline script elimination**: Moving inline scripts to external files, event handler security
- **Style source control**: CSS nonce implementation, style-src directives, unsafe-inline alternatives
- **Report collection**: CSP violation reporting, monitoring and alerting on policy violations
- **Progressive CSP deployment**: Gradual CSP tightening, compatibility testing, fallback strategies

### Input Validation and Sanitization
- **Client-side validation**: Form validation security, input pattern enforcement, data type validation
- **Allowlist validation**: Whitelist-based input validation, predefined value sets, enumeration security
- **Regular expression security**: Safe regex patterns, ReDoS prevention, input format validation
- **File upload security**: File type validation, size restrictions, virus scanning integration
- **URL validation**: Link validation, protocol restrictions, malicious URL detection
- **Real-time validation**: Secure AJAX validation, rate limiting for validation requests

### CSS Handling Security
- **Dynamic style sanitization**: CSS property validation, style injection prevention, safe CSS generation
- **Inline style alternatives**: External stylesh

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is frontend-security-coder for?

When should I use frontend-security-coder?

Is frontend-security-coder safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is frontend-security-coder for?

When should I use frontend-security-coder?

Is frontend-security-coder safe to install?

SKILL.md