← ClaudeAtlas

security-and-hardeninglisted

Hardens code against vulnerabilities. Use when handling user input, authentication, data storage, or external integrations. OWASP-aware, language-agnostic principles with TypeScript examples — applies to any feature that accepts untrusted data, manages user sessions, or interacts with third-party services.
fabioc-aloha/Alex_ACT_Edition · ★ 0 · AI & Automation · score 75
Install: claude install-skill fabioc-aloha/Alex_ACT_Edition
# Security and Hardening ## Overview Security-first development practices for web applications. Treat every external input as hostile, every secret as sacred, and every authorization check as mandatory. Security isn't a phase — it's a constraint on every line of code that touches user data, authentication, or external systems. Examples below use TypeScript/Node.js syntax for concreteness, but the principles (parameterized queries, hashed passwords, schema validation at boundaries, secrets out of source, OWASP Top 10) apply to any language. ## When to Use - Building anything that accepts user input - Implementing authentication or authorization - Storing or transmitting sensitive data - Integrating with external APIs or services - Adding file uploads, webhooks, or callbacks - Handling payment or PII data ## The Three-Tier Boundary System ### Always Do (No Exceptions) - **Validate all external input** at the system boundary (API routes, form handlers) - **Parameterize all database queries** — never concatenate user input into SQL - **Encode output** to prevent XSS (use framework auto-escaping, don't bypass it) - **Use HTTPS** for all external communication - **Hash passwords** with bcrypt/scrypt/argon2 (never store plaintext) - **Set security headers** (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) - **Use httpOnly, secure, sameSite cookies** for sessions - **Run dependency audits** (`npm audit`, `pip-audit`, `cargo audit`, etc.) before every release ### Ask Firs