secure-codinglisted

# Secure Coding This skill keeps you from introducing vulnerabilities while you build. It is **prevention, not audit** — it runs at the moment you write an endpoint, a form handler, or a database write, and bakes in the safe default before the bug exists. Analogy: it is the seatbelt you put on before driving, not the crash investigator who shows up afterward. Audit tools (Trail of Bits, Semgrep, CodeQL) inspect the wreck. This skill stops the crash. ## Scope This skill is for the solo dev or small team who has **no security tooling installed** and just wants to ship without leaving holes. If a dedicated audit plugin is present, this skill still runs first — preventing a vuln is always cheaper than finding it later. ## Trigger Activate whenever code touches: a request handler/endpoint, user input, a database write, authentication, file uploads, secrets/env vars, CORS, or any third-party webhook. Default-deny mindset: code with no explicit security decision is the bug. ## Discovery (max 3 questions, only if unknown) 1. Is this endpoint/data public, authenticated, or admin-only? 2. Does it touch personal data (email, name, payment, location, anything identifying a person)? 3. What is the backend — serverless functions (Vercel), a Node server, or a BaaS (Supabase/InsForge)? ## The OWASP Top 10, as prevention rules Apply the matching rule the instant you write the code. Each maps an OWASP 2021 category to a concrete default. | Risk | Prevent it by | | --- | --- | | **A0