owasp-top-10-implementationlisted

# OWASP Top 10 Implementation Guidance ## Purpose Keep implementation work security-aware without turning every task into a blocking audit. Use OWASP Top 10 2025 as the awareness baseline, ASVS 5.0.0 as the deeper verification reference, and OWASP secure coding checklist principles for practical coding decisions. User-facing conversation stays in Russian unless requested otherwise. Repository documentation, code comments, and commit messages stay in English. ## When To Use Use this skill without waiting for explicit invocation when implementation touches: - Authentication, authorization, sessions, permissions, tenant boundaries, user/admin boundaries, or protected resources. - API input/output handling, validation, serialization, deserialization, file upload/download, shell/database/template sinks, or external integrations. - Secrets, credentials, tokens, crypto, sensitive data, logging, error handling, security headers, CORS, CSP, rate limits, or configuration. - Dependencies, lockfiles, install scripts, CI/CD, container images, generated code, or supply-chain-sensitive changes. - Any task where the user asks for secure coding, OWASP alignment, security comments, or hardening while implementing. For explicit security review, audit, vulnerability check, or `/ry-sec-review`, use the `ry-sec-review` skill instead or in addition. ## Behavior This skill is advisory and non-blocking. During implementation, surface concise security comments and apply high-confidence fixes